Download IPFire 2.27 – Core Update 166

Spread the love

IPFire is an open source firewall for i586, x86_64, and ARM systems. It includes an intrusion detection/prevention system, divides the network into zones, does stateful packet inspection and offers VPN capabilities. For more information, please refer to this page† The developers released versions 2.27 Core Update 165 and Update 166 for production systems in quick succession. The corresponding announcements look like this:

IPFire 2.27 – Core Update 166 released

This is the release announcement for IPFire 2.27 – Core Update 166. It fixes the recently introduced backup issue and patches a security vulnerability in zlib.

zlib memory corruption on DEFLATE

CVE-2018-25032 has been assigned to an issue that allowed an attacker with some chosen content to crash the compressor. We do not believe that this is exploitable in IPFire.

IPFire 2.27 – Core Update 165 released

Firewall Updates

The firewall engine has received various improvements for better performance, faster ruleset reloads, and easier code for developers:

  • The backend for the Location Filter, dropping traffic from hostile network, and more is now using ipset which is built into the Linux kernel instead the formerly used external kernel module called xt_geoip. This is important work which will allow us integrating new firewall features easier.
  • The Location Filter has been tuned so that it will load its rulesets faster and will consume less memory; this will improve any lookups and use less CPU resources and cause less level 2 cache congestion.
  • The P2P filter has been removed because it is outdated technology. Most of the P2P networks that were supported don’t exist for a long time and those which do can easily work around this type of filtering. We recommend using the IPS for filtering this if you still need to.

Updated Toolchain

The toolchain – all programs that are required to build IPFire and the most basic system libraries – has been updated and is based on glibc 2.35, binutils 2.37 and GCC 11.1.0.

On x86, we now support Intel Control-flow Enforcement Technology (CET) which protects the C standard library with indirect branch tracking (IBT) and shadow stack (SHSTK). On aarch64, memory tag has been enabled on processors that support it (ARMv8.5 and higher).

IPFire has been rebased to Python 3.10.1. All packages that provide or use any Python modules are being updated and shipped again.

It is now possible to completely cross-compile IPFire on any architecture for any other architecture. This is done by compiling a native toolchain with a different target architecture which will then be emulated using QEMU in userland. This is slow, but helpful to build IPFire for new architectures; currently we are conducting experiments with RISC-V without having any hardware

misc.

  • A long-standing bug with broken cable modems has been fixed: Some providers have cable modems which return an unusually small MTU of only 576 bytes which will cause that IPFire will fragment every packet larger than this before it can be sent out on the RED interface . This can now properly changed in the setup tool and IPFire will accept any custom value. This used to break video conferences over UDP which could not re-assemble the fragmented video stream and which did not automatically fall back to TCP (#12563
  • Because of the growth of the operating system, the root partition of the flash image has been increased to 1800 MiB. This is the minimum to install the system and will be grown to the full size of the storage device on first boot.
  • IPsec: Due to a typo, Curve 25519 wasn’t selected as default
  • OpenVPN: Due to an error in timezone handling, the usage charts could be incorrect which has been fixed now.
  • Wireless Client: Support for WEP has been removed which didn’t work for a longer time.
  • OpenSSL has been updated to version 1.1.1n which fixes a denial-of-service attack filed under CVE-2022-0778
  • More updated packages: bash 5.1.16, bind 9.16.26, cURL 7.81.0, ethtool 5.16, expat 2.4.6, findutils 4.9.0, gdbm 1.23, glib 2.71.1, harfbuzz 3.3.2, iproute2 5.16.0, lcms2 2.13.1, libarchive 3.6.0, libcap 2.63, libgpg-error 1.44, libloc 0.9.10, libusb 1.0.25, libwww-perl 6.61, libxcrypt 4.428, lua 5.4.4, mdadm 4.2, OpenSSL 1.1.1n, p11 kit 0.24.1, pango 1.50.3, poppler 22.02.0, SDL2 2.0.20, SQLite 3.37.2, sudo 1.9.9, wpa_supplicant 2.10, Zstandard 1.5.2

Add-ons

  • New package:
    • gptfdisk – A CLI tool to partition hard drives with GPT
    • oci-cli – Command line tools for Oracle Cloud
  • Updated packages: borgbackup 1.1.17, CUPS 2.4.1, Git 2.35.1, hostapd 2.10, monit 5.31.0, nano 6.1, samba 4.15.5, stunnel 5.62, Tor 0.4.6.10
  • Proxy Accounting
    • This package has been renamed to proxy-accounting from squid-accounting
    • Alphanumerical postal codes are now accepted as being used in the UK, Australia, Canada, etc.

Version number 2.27 – Core Update 166
Release status Final
Operating systems Linux
Website IPFire
Download
License type Conditions (GNU/BSD/etc.)
You might also like