Hello,
we have made the next Core Update available for testing. It comes with various feature enhancements, improvements, and security and bug fixes.
Linux Kernel Update
This update contains a minor update to the Linux kernel IPFire is using based on Linux 3.14.57. Various device drivers for Intel network controllers and some other hardware have been improved.
IPsec Update
strongswan
has been updated to version 5.3.3 and much work was done on the IPsec VPN stack. The changes include feature enhancements and bug fixes.
Support for multiple subnets per tunnel
It is now possible to configure more than one subnet per IPsec net-to-net connection- That makes configuration for more complex networks easier and also reduces the overhead for the IPsec connection.
Reject rules when a tunnel is not established
Formerly, packets that were supposed to be sent through an IPsec tunnel were routed and then silently dropped when a tunnel was not established. This caused that packets may be sent out towards the Internet and that this connection was remembered in the connection tracking table and in rare cases causes issues so that for example SIP telephones where the PBX was on the other end of an IPsec tunnel could not register properly any more.
Packets will now be rejected by the firewall if the IPsec tunnel is not established which improves security and also eliminated the issue described above.
Misc
- Some deprecated (and non-functional) configuration options have been removed from the IPsec GUI
DHCP Server
The DHCP is now able to submit DNS updates to an upstream name server after a DHCP lease was handed out. Therefore the names of these systems can be made available in an external DNS zone. It uses the mechanism also known as RFC2136 which is operable with many major name servers and requires TSIG keys to sign the updates.
Misc
- OpenVPN
- Static routes are now loaded for gateways behind the tunnel when a tunnel comes up
- An extra client package is now downloadable with the configuration and and certificates in the PEM format. That allows for those connections to be easier importable to clients that don’t support the PKCS12 format like iOS devices.
- VLAN devices are now hotpluggable. That makes the bootup process more robust when initialising a NIC takes longer than usual.
snort
was updated to version 2.9.7.6- The initial download of the GeoIP database is now executed in background. On some systems with slower uplink this caused a long delay when connecting to the Internet for the first time.
- The
ntp
package was updated to version 4.2.8p4 which fixes various security vulnerabilities dma
, the new mailing component, was updated to version 0.10 which handles unreachable mail servers better and tries to resend emails- We ship the
ipset
andpgrep
binaries which was requested by some users ddns
, the Dynamic DNS Updater, was updated to version 009 which improves handling of SSL errors and adds desec.io as a provider- The
lzo
compression library was updated to version 2.09
Add-ons
Updated Add-ons
- asterisk was updated to version 11.20.0 which mainly contains security and stability fixes
- monit was updated to version 5.14
- tor: Flag icons are now shown again