IPFire is een opensourcefirewall voor i586-, x86_64- en Arm-systemen. Het bevat onder andere een intrusion detection/prevention system, deelt het netwerk op in zones, doet stateful packet inspection en biedt vpn-mogelijkheden. Voor meer informatie verwijzen we naar deze pagina. De ontwikkelaars hebben versie 2.29 Core Update 190 uitgebracht, een stabiele uitgave voor productiesystemen. De bijbehorende releasenotes zien er als volgt uit:

The IPFire kernel has been rebased on Linux 6.6.63. This brings us the latest bunch of security and stability fixes from the Linux kernel maintainers and might be the last kernel that we are going to ship based on the 6.6.x kernel line.

We are starting the path to remove RSA from the IPFire web UI and SSH. On new installations, RSA keys won't be generated any more. On existing installations, this update removes the RSA key from the web UI, but we keep the RSA key for SSH to not break any monitoring tools, etc. We still believe that RSA is strong enough to be used in today's world, but since there is sufficient browser and SSH client support for Elliptic Curve Cryptography which is considered to be much stronger, we want to raise the bar for any potential future attacks on RSA.

IPFire is also now using post-quantum cryptography for SSH key exchanges: Streamlined NTRU Prime sntrup761 and X25519 with SHA-512 (sntrup761x25519-sha512) and Module-Lattice-based Key-Encapsulation Mechanism (MK-KEM, mlkem768x25519-sha256) have been enabled.

The RED interface can now be configured to no longer require the RFC4039 Rapid Commit option. This is a default option in almost all DHCP clients for over 20 years, but we have recently observed ISPs running broken DHCP servers which no longer work if this option is enabled. It can now be enabled or disabled using the setup command.

command. IPS: It is now possible to individually enable or disable scanning IPsec traffic. Before, IPsec traffic was always scanned when scanning the RED interface was enabled.

Formerly, firewall rules that use the new SYN Flood Protection feature were not flushed on changes. This has now been fixed.

A few smaller bugs have been fixed in the Unbound/DHCP-Leases bridge. Static leases could have accidentally been dropped from DNS and expired leases were sometimes still exported to DNS.

The boot process has been improved to show fewer warnings or informational messages. None of those were critical, but we would like to have a cleaner and less cluttered boot process.

IPsec can now handle pre-shared keys that contain a comma.

A bug that failed to render the OpenVPN connection settings page was fixed when a roadwarrior connection was using static pools.

On UEFI-enabled systems, the installer is now offering a serial console installation option.

Updated packages: APR 1.7.5, BIND 9.20.3, cURL 8.10.0, dhcpcd 10.1.0, intel-microcode 20241029, libhtp 0.5.49, libpng 1.6.44, liburcu 0.14.1, lmdb 0.9.33, logrotate 3.22.0, LVM2 2.03.26, monit 5.34.2, nettle 3.10, ninja 1.12.1, OpenSSH 9.9p1, PPP 2.5.1, protobuf 28.1, squid 6.12, suricata 7.0.8, texinfo 7.1.1, unbound 1.22.0

The CA certificate bundle has been updated and we have removed the malicious "e-commerce monitoring GmbH" entity

The flash image was created using an ext4 file system without a journal and the journal was only enabled under certain circumstances. To have better overall filesystem integrity on all systems the journal will now be enabled by default on all new installations.