- IPFire 2.27 Core Update 170 comes with new IP blocklists for the firewall engine, along with improvements to Pakfire.
- MODP-2048 has been dropped from the default cryptographic algorithm selection for new IPsec connections.
- The “drop all traffic from and to hostile networks” feature is meant as a basic level of network protection suitable for IPFire’s entire user base
The IPFire team announced the general availability of IPFire 2.27 Core Update 170. The latest release introduces new IP blocklists for the firewall engine, significant improvements to Pakfire, and modernizes the default cryptographic algorithm selection for IPsec connections, along with a new kernel and multiple bug fixes and security improvements. The latest release can be downloaded from its official website.
IP-reputation blocking
The latest release introduces a new feature to the firewall engine, based on prior development by Tim FitzGeorge. It enables activating various public IP-based blocklists easily. Blocklists are updated automatically and provide protection against various threats, such as IP addresses or networks having a poor reputation, being involved with cyber crime hosting, or simply not being allocated. The reasons for adding another way for IP-based blocking are:
- IP blocklists are already available for the Intrusion Prevention System. However, it is a rather expensive way of dealing with network traffic that can already be safely dropped based on the reputation of involved IPs. There is no need to waste more CPU resources on it than absolutely necessary – why not let the firewall engine itself handle such traffic, and bother the IPS with more relevant stuff?
- The “drop all traffic from and to hostile networks” feature is meant as a basic level of network protection suitable for IPFire’s entire user base, hence enabled by default. It protects against “the baddest of the bad” on the internet and does not require any attention or maintenance whatsoever.
- IP blocklists, as introduced with this Core Update, provide a more fine-grained level, and your mileage may vary: For example, blocking Tor traffic might be appropriate for some IPFire users, but certainly not for all of them. Some may find certain blocklists to be too aggressive for their use case.
In the IPFire 2.27 Core Update 170, MODP-2048 has been dropped from the default cryptographic algorithm selection for new IPsec connections. The NIST-standardized elliptic curves ECP-384 and ECP-521 have been added to the defaults to provide a more performant alternative to MODP-3072 and MODP-4096. The release also comes with Linux Kernel 5.15.59, which adds mitigations against Retbleed. The following kernel-related changes have been made in addition:
- On x86_64, Intel DMA Remapping Devices (better known as IOMMU) are enabled by default during boot, if available.
- To reduce the attack surface, legacy DRM drivers are no longer available. Since the respective kernel modules have already been blocklisted for a long time, thus unusable, this should not have an impact in production.
- 64-bit ARM users experience improved KASLR thanks to the kernel’s memory address now being randomized before unpacking it.
- Merging slab caches is no longer permitted, to prevent kernel heap overflows, and adversaries interfering with cache structures used by several programs.
- Support for PCI pass-through has been enabled to allow mapping PCI devices into VMs running on IPFire.