The firewall and network-focused Linux distribution IPFire have received a new update. The latest update comes to the top of IPFire 2.27 and fixes various bugs and security flaws. In addition, the new version comes with a new kernel based on 5.15, which already brings a lot of bug fixes, security fixes, and additional hardware support.
Dirty Pipe, no more
The new version also fixes the recently disclosed Dirty Pipe vulnerability in the Linux kernel. IPFire 2.27 Core Update 164 also enhances the firewall capabilities. You can see the new capabilities of the firewall and network-focused Linux distribution below:
- Dropping any hostile traffic: IPFire Location Database contains a list of networks that are considered “hostile” – a network nobody under any circumstance wants to communicate with at all like bullet-proof internet service providers or stolen/hijacked address space. This is enabled by default on new installations but left disabled in this update.
- A better source routing validation is being performed: The firewall will now reject any packets from systems that it cannot reach according to its own routing table.
- Packets that are not recognized by the connection tracking (because they might belong to an invalid connection) are now being logged to help with any debugging.
- Extra logging has also been added for any spoofing attempts on the RED interface. If IPFire receives a packet with its own source IP address, this will be logged as a spoofing attempt.
- Users will be able to monitor any firewall hits from spoofing in the graphs as well.
- In order to run a Tor relay whilst using the IPFire Location filter, any connections belonging to Tor will from now on not be checking the Location filter.
There are also additional changes and fixes that are listed in the IPFire 2.27 Core Update 164 changelog:
- IPFire now hashes any passwords for system accounts using the YESCRYPT which is substantially stronger than the formerly used SHA512
- URL Filter: The Shalla Secure Services and MESD blacklists have been removed since they both have ceased service
- Support for virtualization on aarch64 with libvirt and KVM has been added
- Pakfire is showing its status better on the web interface while installing updates or packages
- Updated packages: expat 2.4.2, freetype 2.11.1, gdbm 1.20, hdparm 9.63, kmod 29, libxml2 2.9.12, libxslt 1.1.34, libusb 1.0.25, LVM2 2.02.188, pciutils 3.7.0, PCRE 2 10.39, perl-libwww 6.60, poppler-data 0.4.11, python3-setuptools 58.0.4, shadow 4.11.1, squid 5.4.1, tcl 8.6.12, zstd 1.5.1
- A new package qemu-ga with QEMU’s Guest Agent has been added. We recommend installing this on any system that runs in a virtualized KVM environment in order to integrate the system better with the hypervisor
- Updated packages: ClamAV 0.104.2, dnsdist 1.7.0, libvirt 7.10.0, monit 5.30.0
The new version is ready to download for both x86_64, aarch64, and ARM systems. It is advised to update the Core Update 164 since it fixes some vulnerabilities, such as the Dirty Pipe bug. You can follow the link below to download ISO files.