Michael Tremer

Increasing download & installation speed: Benefits of a smaller ISO image
by Michael Tremer, June 6

We provide a number of different images to install IPFire on a variety of systems. That can be virtual, a small embedded system or a plain rack server that is being installed from an USB key or CD. IPFire is very very versatile and we are proud to have it running on so many different platforms.

But with all these images, we bloat the size of each release. Each image is available for multiple architectures and with each of them being around 200 MB we reach a full 2GB per release or about ~650 MB per architecture. IPFire 2.17 which did not support the x86_64 architecture was therefore only 1.2GB per release. IPFire 2.11 was only about 500MB per release and the initial 2.0 release only had 60MB with only one ISO image. In total we have 102GB of images on the server for the IPFire 2 series.

The distribution is getting bigger and bigger since we ship more sofware but mainly because the Linux kernel is getting significantly bigger with each release. And of course with all the added drivers we need to ship more and more firmware which really eats up a lot of disk space.

The core components of IPFire itself are actually not that large on disk.

It is not worth fighting the fight to disable drivers that we think nobody is using any more or remove support for other features. We do not want to sacrifice compatibility for saving a few bytes on our server disks. We have decided to change the compression algorithm from gzip to XZ for the flash images for all architectures and we will compress it better by configuring XZ to do so. That on the other hand takes more time when composing the images, but that should be fine since we will save this time when downloading the image again.

This will allow us now to reduce the size for each release by ~300 MB to only 900 MB. Downloads will also be faster since there is less data to transfer and we will of course put less load on the mirrors.

That leaves us only with advantages except investing a little bit more time in compressing the images.

Michael Tremer

IPFire 2.19 - Core Update 120 is available for testing
by Michael Tremer, April 5

IPFire 2.19 – Core Update 120 is available for testing and we are excited that it is packet with a large number of features! They will increase security of the entire system, increase performance of some cryptographic operations as well as fixing a number of smaller bugs.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

RAM-only Proxy

In some installations it might be desirable to only let the proxy cache objects in memory and not on disk. Especially when Internet connectivity is fast and storage is slow this is most useful.

The web UI now allows to set the disk cache size to zero which will disable the disk cache entirely. Thanks to Daniel for working on this.

OpenVPN 2.4

IPFire has migrated to OpenVPN 2.4 which introduces new ciphers of the AES-GCM class which will increase throughput on systems that have hardware acceleration for it. The update also brings various other smaller improvements.

Erik has been working on integration this which has required some work under the hood but is compatible with any previous configurations for both roadwarrior connections and net-to-net connections.

Improved Cryptography

Cryptography is one of the foundations to a secure system. We have updated the distribution to use the latest version of the OpenSSL cryptography library (version 1.1.0). This comes with a number of new ciphers and major refacturing of the code base has been conducted.

With this change, we have decided to entirely deprecate SSLv3 and the web user interface will require TLSv1.2 which is also the default for many other services. We have configured a hardened list of ciphers which only uses recent algorithms and entirely removes broken or weak algorithms like RC4, MD5 and so on.

Please check before this update if you are relying on any of those, and upgrade your dependent systems.

Various packages in IPFire had to be patched to be able to use the new library. This major work was necessary to provide IPFire with the latest cryptography, migrate away from deprecated algorithms and take advantage of new technology. For example the ChaCha20-Poly1305 ciphersuite is available which performs faster on mobile devices.

The old version of the OpenSSL library (1.0.2) is still left in the system for compatibility reasons and will continue to be maintained by us for a short while. Eventually, this will be removed entirely, so please migrate any custom-built add-ons away from using OpenSSL 1.0.2.

Misc

Add-ons

These add-ons have been updated: clamav 0.99.4, htop 2.1.0, krb5 1.15.2, ncat 7.60, nano 2.9.4, rsync 3.1.3, tor 0.3.2.10, wio 1.3.2

Michael Tremer

IPFire 2.19 - Core Update 119 is available for testing
by Michael Tremer, February 26

Hello Community,

it is time for another Core Update that updates the toolchain of the distribution as well as a number of smaller bug and security fixes. Therefore this update is another one of a series of general housekeeping updates to make IPFire better, faster and of course more secure!

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Toolchain Updates

The toolchain is a collection of programs that is used to build the distribution. One of the most important one is the compiler GCC which has been updated to version 7.3.0 which mainly adds support for retpoline. This is needed to build protection against Spectre into newer kernels.

The main C library, glibc, has been updated to version 2.27 and brings various stability fixes, performance improvents and bug fixes.

Other toolchain packages that have been updated: binutils 2.30, ccache 3.4.1, diffutils 3.1.6, swig 3.0.12

Security-Relevant Changes

Misc

Add-Ons

The following packages have been updated: asterisk 13.18.5, bacula 9.0.6, bwm-ng 0.6.1-f54b3fa, flac 1.3.2, haproxy 1.8.0, nginx 1.13.7, nut 2.7.4, openvmtools 10.2.0, postfix 3.2.4, powertop 2.9, sarg 2.3.11, stunnel 5.44

These packages have been dropped and will be removed with this Core Update: lcr, mysql which was very outdated and is not needed by any add-ons.

Michael Tremer

IPFire 2.19 - Core Update 118 is almost there
by Michael Tremer, February 6

Hello Community,

the next Core Update 118 is almost there. We have no major new bugs left any more and it is good to go. But before our release engineering team pulls the trigger and is releasing this for everyone of you, we would like to make you aware again that a number of add-on packages has been discontinued and will automatically be uninstalled when Core Update 118 is installed. Those are:

PHP is being removed for security reasons and for more and more of the software that we ship becoming independent from it. If you have installed any custom applications that use PHP, please move them to another machine.

We are sending you this deprecation announcement to give you some extra time to prepare for the upcoming changes in case you have missed them from the pre-announcement of this Core Update.

Hottest posts 2018 2017 2016 2015 2014 2013 2012 2011