Software-update: IPFire 2.29 - Core Update 199

IPFire is een opensourcefirewall voor i586-, x86_64- en Arm-systemen. Het bevat onder andere een intrusion detection/prevention system, deelt het netwerk op in zones, doet stateful packet inspection en biedt vpn-mogelijkheden. Voor meer informatie verwijzen we naar deze pagina. De ontwikkelaars hebben versie 2.29 Core Update 199 uitgebracht en de changelog daarvan kan hieronder worden gevonden:

Support for WiFi 7 & 6

IPFire now supports WiFi 7 & WiFi 6 for Wireless Access Points. Although the hardware has been supported before, IPFire can now take advantage of the features that these new WiFi standards are bringing. The most notable features are:

• It is now possible to select the preferred WiFi mode, and IPFire will figure out the rest. 802.11be and 802.11ax are joining support for 802.11ac/agn. Channel bandwidths of up to 320 MHz will give you a bandwidth of over 5.7 Gbps for two spacial streams, or even a whopping 11.5 Gbps over four spacial streams. Over the air!
• IPFire will now automatically detect and enable any supported capabilities that the hardware supports. This used to be manually configurable as "HT Capabilities" and "VHT Capabilities". Whereas that used to be a tedious and difficult process, we can now take advantage of all features that your hardware supports for a much more stable and faster WiFi network.
• When using WPA2 or WPA1, IPFire will allow using SHA256 during authentication which will strengthen the handshake for clients that cannot use WPA3.
• By default, IPFire will enabled SSID Protection. If Management Frame Protection (802.11w) is being used, IPFire will automatically enable Beacon Protection and Operating Channel Validation.
• Multicast packets will be converted to unicast packets by default to make more airtime available if the network is mainly hosting modern, fast clients.
• Radar detection will be performed in the background if the hardware supports it.

The web UI has not changed much, but all the magic is happening inside of IPFire so that we can bring you maximum performance and low latency over your wireless network if you are using WiFi. All Lightning Wire Labs products will automatically enable these features.

Link-Local Discovery Protocol (LLDP) & Cisco Discovery Protocol (CDP)

IPFire is introducing native support for LLDP and CDPv2. This protocol allows the firewall to detect any networking devices that it is directly connected to and allows to identify to which switch ports the firewall is being connected. This is especially useful in larger networks and adds more discoverability to monitoring and mapping tools like Observium. The feature can be enabled and configured over the web UI under Services -> LLDP.

Updated Kernel

The IPFire kernel has been rebased on Linux 6.12.58. This provides various security and stability fixes. Some configuration changes for preemption debugging should yield significant performance improvements on many systems.

Intrusion Prevention System

• Suricata, the software that the IPFire IPS is based on, has been updated to version 8.0.2.
• The new reporting feature sometimes dropped some alerts when the internally used SQLite database has been busy. This problem has been fixed in release 0.5 of the suricata-reporter package.
• The IPS reports will now always be sent at 1 am. Some users have requested to have these reports available when they arrive early at their offices.

OpenVPN Roadwarrior

• In preparation for future OpenVPN releases, if a server is using any legacy ciphers, this will be highlighted to make users aware.
• It is now supported to push multiple DNS and WINS servers to clients.
• The server is now always running in multi home mode. This is required as the firewall usually has multiple interfaces and clients might connect from an internal network and configures the OpenVPN server to always respond with the same IP address that the client has connected to.
• A bug has been fixed which prevented the OpenVPN server from pushing the first custom route that should have been pushed to clients.
• The authenticator will try harder to encourage a client to perform OTP authentication if the client becomes confused during the authentication process.
• The ineffective auth-nocache directive has been removed from the client configuration files

Proxy

• A mitigation for CVE-2025-62168 has been applied to the proxy configuration
• A race condition where the URL Filter process could have been forcibly terminated when it was compiling the databases has been fixed

Web UI

• Firewall: A bug that prevented users from creating new location groups has been resolved
• Hardware Vulnerabilities: A better message is shown if a system does not support SMT
• Mail: Credentials with some special characters won't be mangled any more

Misc.

• The D-Bus daemon is now running by default in IPFire to prepare for some future developments.
• dracut has been replaced by dracut-ng, after the original project has been abandoned by RedHat
• dma: A tool to create local inboxes has been added
• The SSH cipher suite has been aligned with upstream and now prefers AES-GCM over AES-CTR.
• A race-condition where applied firewall rules could have been dropped when another firewall rule was already inserted has been fixed
• Updated packages: coreutils 9.8, c-ares 1.34.5 (CVE-2025-31498), cURL 8.17.0, BIND 9.20.16, boost 1.89.0, btrfs-progs 6.17.1, elfutils 0.194, expat 2.7.3 (CVE-2025-59375, CVE-2024-8176), fmt 12.1.0, FUSE 3.17.4, glib 2.86.0, harfbuzz 12.1.0, hwdata 0.400, iana-etc 20251030, iproute2 6.17.0, kbd 2.9.0, less 685, libarchive 3.8.2, libcap 2.77, libgpg-error 1.56, libxml2 2.15.1, LVM2 2.03.36, nasm 3.00, ninja 1.13.1, OpenLDAP 2.6.10, OpenSSH 10.2p1, OpenSSL 3.6.0, OpenVPN 2.6.16, PCRE2 10.47, p11-kit 0.25.10, pango 1.57.0, protobuf 33.0, Rust 1.85.0, strongSwan 6.0.3, SQLite 3.51.0, Suricata 8.0.2, suricata-reporter 0.5, sysvinit 3.14, udev 258, unbound 1.24.1, usbutils 019, util-linux 2.41.2, vim 9.1.1854, whois 5.6.5, xfsprogs 6.17.0
• Various code cleanups are being shipped with this update, too.

Add-ons

• arpwatch
  • This new add-on has received a bug fix for submitting the correct envelope sender for emails. Some mail servers had rejected those emails.
  • MAC addresses will always be shown as zero-padded
• ffmpeg has been updated to version 8.0
  • It is also linked to OpenSSL and lame again to allow streaming of external sources using HTTPS and mp3.
• Updated packages: ClamAV 1.5.1, dnsdist 2.0.1, fetchmail 6.5.7, ffmpeg 8.0, hostapd f747ae0, libmpdclient 2.23, mpd 0.24.5, mympd 22.1.1, nano 8.7, openvmtools 13.0.5, Samba 4.23.2, shairport-sync 4.3.7, Tor 0.4.8.19, tshark 4.6.1, zabbix_agentd 7.0.21 (LTS)