IPFire is an open source firewall for i586, x86_64, and ARM systems. It includes an intrusion detection/prevention system, divides the network into zones, does stateful packet inspection and offers VPN capabilities. For more information, please refer to this page† The developers have released version 2.27 Core Update 161 for production systems. The corresponding announcement looks like this:
Boosting Intrusion Prevention System Performance
The most notable change in this update is a large increase of throughput of the IPS. It can now decide to no longer see traffic from a certain IP connection and tell the kernel to bypass it. That removes all overhead for these connections and therefore increases throughput.
On systems like the Lightning Wire Labs Mini Appliance which comes with four CPU cores each at 1 GHz clock speed, it boosts throughput from about 120 MBit/s on full CPU load to 1 GBit/s on about 20% load on one CPU core for this type of connection. This releases more CPU time for scanning other traffic and allowing this device being properly used on connections with more than 100 MBit/s throughput.
For this change, a lot of work around the QoS and VPNs were necessary because of touch points in the firewall engine. Here, we were also able to tidy up code and make the system more efficient.
Fast Flux Detection in Web Proxy
This update brings Fast Flux Detection as introduced by Peter.
Updated OS Kernel
The IPFire kernel is now based on Linux 5.10.76 and various configuration changes have been made:
- Hardening of stack variables: All of those will now be zero-initialized to avoid any information leak inside the kernel’s memory space
- TPM hardware is now being used as a source for entropy if available
- The kernel will now wake up more often in order to keep packet forward latency down and make the system more responsive.
- Some debugging/overhead functions have been disabled for slight performance gains
- Python 2 has been removed from IPFire with this release
- IPFire now supports ExFAT
- Logwatch now includes status of software RAID configurations
- Regressions in the disk utilization stats due to a change in iostat(8)’s output have been fixed
- After launching an update, the Pakfire page did not correctly show the locked state
- The web proxy will now always hide its version number due to avoid any information leaks
- Support for FriendlyARM NanoPI R2S has been added
- Updated packages: apache 2.4.51 fixing CVE-2021-42013 introduced due to an incomplete fix for CVE-2021-41773curl 7.79.1, dosfsutils 4.2, GD-Graph 1.54, gd 2.3.3, iproute2 5.14.0, perl-GD 2.73, strongSwan 5.9.4
- Tor will now use any hardware acceleration for cryptographic operations if available
- Updated packages: 7zip 17.04, cups-filters 1.28.10, Ghostscript 9.55.0, Git 2.33.1, htop 3.1.1, krb5 1.19.2, monit 5.29.0, nano 5.9, pcengines-apu-firmware 22.214.171.124, shairport-sync 3.3.8
- avahi’s and minidlna’s confguration is now correctly backed up and restored on updates
|2.27 Core Update 161