For the start of the second half of the year, we have a brand new Core Update available for everyone who wants to help testing. It comes with various packages from all areas and some new features.
WPA Enterprise Authentication in Client Mode
The firewall can now authenticate itself with a wireless network that uses Extensible Authentication Protocol (EAP). These are commonly used in enterprises and require a username and password in order to connect to the network.
IPFire supports PEAP and TTLS which are the two most common ones. They can be found in the configured on the “WiFi Client” page which only shows up when the RED interface is a wireless device. This page also shows the status and protocols used to establish the connection.
The index page also shows various information about the status, bandwidth and quality of the connection to a wireless network. That also works for wireless networks that use WPA/WPA2-PSK or WEP.
QoS Multi-Queueing
The Quality of Service is now using all CPU cores to balance traffic. Before, only one processor core was used which caused a slower connection on systems with weaker processors like the Intel Atom series, etc. but fast Ethernet adapters. This has now been changed so that one processor is no longer a bottle neck any more.
New crypto defaults
In many parts of IPFire cryptographic algorithms play a huge role. However, they age. Hence we changed the defaults on new systems and for new VPN connections to something that is newer and considered to be more robust.
IPsec
- The latest version of
strongSwan
supports Curve 25519 for the IKE and ESP proposals which is also available in IPFire now and enabled by default. - The default proposal for new connections now only allows the explicitly selected algorithms which maximises security but might have a compatibility impact on older peers: SHA1 is dropped, SHA2 256 or higher must be used; the group type must use a key with length of 2048 bit or larger
- Since some people use IPFire in association with ancient equipment, it is now allowed to select MODP-768 in the IKE and ESP proposals. This is considered broken and marked so.
OpenVPN
- OpenVPN used SHA1 for integrity by default which has now been changed to SHA512 for new installations. Unfortunately OpenVPN cannot negotiate this over the connection. So if you want to use SHA512 on an existing system, you will have to re-download all client connections as well.
Various markers have been added to highlight that certain algorithms (e.g. MD5 and SHA1) are considered broken or cryptographically weak.
Misc.
- IPsec VPNs will be shown as “Connecting” when they are not established, but the system is trying to
- A shutdown bug has been fixed that delayed the system shutting down when the RED interface was configured as static
- The DNSSEC status is now shown correctly on all systems
- The following packages have been updated:
acpid
2.0.28,bind
9.11.1,coreutils
8.27,cpio
2.12,dbus
1.11.12,file
5.30,gcc
4.9.4,gdbm
1.13,gmp
6.1.2,gzip
1.8,logrotate
3.12.1,logwatch
7.4.3,m4
1.4.18,mpfr
3.1.5,openssl
1.0.2l (only bug fixes),openvpn
2.3.16 which fixes CVE-2017-7479 and CVE-2017-7478,pcre
8.40,pkg-config
0.29.1,rrdtool
1.6.0,strongswan
5.5.2,unbound
1.6.2,unzip
60,vnstat
1.17 - Matthias Fischer contributed some cosmetic changes for the firewall log section
- Gabriel Rolland improved the Italian translation
- Various parts of the build system have been cleaned up
Add-ons
New Add-ons
- ltrace: A tool to trace library calls of a binary
Updated Add-ons
The samba
addon has been patched for a security vulnerability (CVE-2017-7494) which allowed a remote code executing on writable shares.
ipset
6.32libvirt
3.1.0 +python3-libvirt
3.6.1git
2.12.1nano
2.8.1netsnmpd
which now supports reading temperature sensors with help oflm_sensors
nmap
7.40tor
0.3.0.7
As always, we would like to ask all users to participate in testing which will highly improve the quality of this update.
Please report any bugs to our bug tracker and provide any feedback on our development mailing list.