Security 10816 Published by

IPFire 2.27 - Core Update 161 has been released. IPFire is a powerful and professional Open Source firewall solution.



IPFire 2.27 - Core Update 161 released

Today, we are releasing a brand new version of IPFire: 2.27 - Core Update 161. Amongst a huge performance improvement for the Intrusion Prevention System, it comes with a brand new kernel and various security and bug fixes.

Before we talk about what is new, I would like to ask you for your support. IPFire is a small team of people and like many of our open source friends, we’ve taken a hit this year and would like to ask you to help us out. Please follow the link below where your donation can help fund our continued development:  https://www.ipfire.org/donate.

Please note, that this update will reconnect any PPP connections and we recommend performing a reboot after the update has been installed.

Boosting Intrusion Prevention System Performance

The most notable change in this update is a large increase of throughput of the IPS. It can now decide to no longer see traffic from a certain IP connection and tell the kernel to bypass it. That removes all overhead for these connections and therefore increases throughput.

On systems like the  Lightning Wire Labs Mini Appliance which comes with four CPU cores each at 1 GHz clock speed, it boosts throughput from about 120 MBit/s on full CPU load to 1 GBit/s on about 20% load on one CPU core for this type of connection. This releases more CPU time for scanning other traffic and allowing this device being properly used on connections with more than 100 MBit/s throughput.

For this change, a lot of work around the QoS and VPNs were necessary because of touch points in the firewall engine. Here, we were also able to tidy up code and make the system more efficient.

Fast Flux Detection in Web Proxy

This update brings  Fast Flux Detection as introduced by Peter.

Updated OS Kernel

The IPFire kernel is now based on Linux 5.10.76 and various configuration changes have been made:

  • Hardening of stack variables: All of those will now be zero-initialised to avoid any information leak inside the kernel's memory space
  • TPM hardware is now being used as a source for entropy if available
  • The kernel will now wake up more often in order to keep packet forward latency down and make the system more responsive.
  • Some debugging/overhead functions have been disabled for slight performance gains

Misc.

  • Python 2 has been removed from IPFire with this release
  • IPFire now supports ExFAT
  • Logwatch now includes status of software RAID configurations
  • Regressions in the disk utilization stats due to a change in iostat(8)'s output have been fixed
  • After launching an update, the Pakfire page did not correctly show the locked state
  • The web proxy will now always hide its version number due avoid any information leaks
  • Support for FriendlyARM NanoPI R2S has been added
  • Updated packages: apache 2.4.51 fixing  CVE-2021-42013 introduced due to an incomplete fix for  CVE-2021-41773, curl 7.79.1, dosfsutils 4.2, GD-Graph 1.54, gd 2.3.3, iproute2 5.14.0, perl-GD 2.73, strongSwan 5.9.4

Add-ons

  • Tor will now use any hardware acceleration for cryptographic operations if available
  • Updated packages: 7zip 17.04, cups-filters 1.28.10, Ghostscript 9.55.0, Git 2.33.1, htop 3.1.1, krb5 1.19.2, monit 5.29.0, nano 5.9, pcengines-apu-firmware 4.14.0.4, shairport-sync 3.3.8
  • avahi's and minidlna's confguration is now correctly backed up and restored on updates


IPFire 2.27 - Core Update 161 released - The IPFire Blog