IPFire’s 200th Core Update: New Blocklist & Kernel Upgrade

The IPFire project has reached a significant milestone with the launch of its 200th Core Update for the 2.29 branch. This substantial release delivers a major kernel upgrade, introduces a new domain blocklist service in beta, and incorporates critical security patches alongside numerous component refreshes. System administrators will find a host of improvements aimed at enhancing security, performance, and management capabilities.

A central feature of this update is the shift to the Linux 6.18.7 LTS kernel. This rebase provides updated hardware security mitigations and brings measurable improvements to network throughput and latency. It’s important to note that this kernel line has deprecated support for the ReiserFS filesystem. Users with installations on ReiserFS cannot apply this update and must first reinstall IPFire on a supported filesystem like ext4 or XFS.

The release debuts IPFire DBL, a new domain blocklist service currently in beta. This initiative aims to replace the retired Shalla list, which was previously used by the web proxy for filtering categories like malware, social media, and adult content. DBL can be utilized in two key areas: within the URL filter for proxy-based blocking and as a source for Suricata intrusion prevention rules. When integrated with Suricata, it enables deep packet inspection across DNS, TLS, HTTP, and QUIC network connections. The project labels DBL as an early beta and is actively seeking community feedback to refine the service.

Several important changes have been made to the Suricata intrusion prevention system. A fix has been applied to resolve a cache management bug from the prior update, where Suricata’s signature cache would grow indefinitely and consume disk space. A backported patch now ensures that unused signatures are cleaned up automatically. Additionally, the Suricata reporter has been enhanced to include hostname information and extra protocol metadata for alerts involving DNS, HTTP, TLS, and QUIC. This enriched data appears in alert emails and PDF reports, giving administrators greater context during security investigations.

For OpenVPN, client configuration behaviors have been updated for better flexibility. MTU values will now be pushed from the server instead of being hardcoded into client configurations, allowing for post-deployment adjustments. Similarly, when one-time password (OTP) authentication is enabled, the token will be pushed from the server. The CA certificate has also been removed from client config files to prevent import conflicts, as it is already contained within the PKCS12 container.

Performance gains are expected from the DNS proxy, Unbound, which has been modified to launch one thread per CPU core. This multi-threaded approach, a change from its previous single-threaded operation, is designed to reduce DNS response times under heavy load conditions.

Wireless access point functionality receives attention with several fixes. Support for the 802.11a/g wireless standards has been restored after being accidentally removed in an earlier release. Another fix prevents the hostapd daemon from flooding system logs with debug output when debugging is enabled. The system now also correctly accepts pre-shared keys (PSK) that contain special characters.

On the security front, this core update addresses multiple vulnerabilities. OpenSSL has been updated to version 3.6.1, patching twelve critical CVEs. The glibc library has also been patched for three security issues. Applying these updates is essential for maintaining a secure network perimeter.

A wide range of bundled software packages have been updated to their latest stable versions. This includes Apache 2.4.66, BIND 9.20.18, cURL 8.18.0, OpenVPN 2.6.17, strongSwan 6.0.4, Suricata 8.0.3, Unbound 1.24.2, ClamAV 1.5.1, Samba 4.23.4, and Tor 0.4.8.21. These updates ensure compatibility, introduce new features, and resolve bugs present in older versions.

(Source: HelpNet Security)