Michael Tremer

IPFire 2.21 is available for testing
by Michael Tremer, June 24

Finally, the next major version of IPFire is ready for testing. IPFire 2.2 rebases the distribution on the long-term supported Linux kernel 4.14 and many more improvements and bug fixes have found their way into the distribution.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Highlight: Linux 4.14

The distribution was rebased from our old long-term supported kernel to the new kernel 4.14.50.

Most importantly, this kernel improves the security of the system, increases performance and makes the core of IPFire more up to date and modern again. This update also enables mitigation against Meltdown and Spectre on some architectures. On Intel-based platforms, we update the microcode of the CPUs when the system boots up to avoid any performance penalties caused by the mitigation techniques.

Unfortunately, grsecurity is incompatible with any newer kernels and has been removed. This is connected to the decision of the grsecurity project to no longer open source their patches. Luckily the kernel developers have backported many features so that this kernel is still hardened and secure.

ARM systems won’t be able to install this update due to the kernel change which also requires changes on some bootloaders. For those users, we recommend to backup the system, reinstall and then restore the backup. The re-installed system will only come with a single ARM kernel instead of multiple for different platforms that we had before. It helps us to keep the distribution smaller and makes development efforts easier.


Smaller images due to more efficient compression

We have tried to make the download of the distribution faster and make it use less space on our servers. As a first step, the flash images have been merged together and there is only one image that boots on systems with serial console and normal video output. Secondly, we now compress all images with the XZ algorithm so that they download faster and even decompress quicker, too.

New partition layout

This release also changes the partition layout of the distribution. We have dropped the /var partition which was used for log files and data that the system collected. This data is now located on a single partition together with the OS. The size of the /boot partition has been increased to 128MB in the default partition layout.


Updates Packages
Michael Tremer

Increasing download & installation speed: Benefits of a smaller ISO image
by Michael Tremer, June 6

We provide a number of different images to install IPFire on a variety of systems. That can be virtual, a small embedded system or a plain rack server that is being installed from an USB key or CD. IPFire is very very versatile and we are proud to have it running on so many different platforms.

But with all these images, we bloat the size of each release. Each image is available for multiple architectures and with each of them being around 200 MB we reach a full 2GB per release or about ~650 MB per architecture. IPFire 2.17 which did not support the x86_64 architecture was therefore only 1.2GB per release. IPFire 2.11 was only about 500MB per release and the initial 2.0 release only had 60MB with only one ISO image. In total we have 102GB of images on the server for the IPFire 2 series.

The distribution is getting bigger and bigger since we ship more sofware but mainly because the Linux kernel is getting significantly bigger with each release. And of course with all the added drivers we need to ship more and more firmware which really eats up a lot of disk space.

The core components of IPFire itself are actually not that large on disk.

It is not worth fighting the fight to disable drivers that we think nobody is using any more or remove support for other features. We do not want to sacrifice compatibility for saving a few bytes on our server disks. We have decided to change the compression algorithm from gzip to XZ for the flash images for all architectures and we will compress it better by configuring XZ to do so. That on the other hand takes more time when composing the images, but that should be fine since we will save this time when downloading the image again.

This will allow us now to reduce the size for each release by ~300 MB to only 900 MB. Downloads will also be faster since there is less data to transfer and we will of course put less load on the mirrors.

That leaves us only with advantages except investing a little bit more time in compressing the images.

Michael Tremer

IPFire 2.19 - Core Update 120 is available for testing
by Michael Tremer, April 5

IPFire 2.19 – Core Update 120 is available for testing and we are excited that it is packet with a large number of features! They will increase security of the entire system, increase performance of some cryptographic operations as well as fixing a number of smaller bugs.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

RAM-only Proxy

In some installations it might be desirable to only let the proxy cache objects in memory and not on disk. Especially when Internet connectivity is fast and storage is slow this is most useful.

The web UI now allows to set the disk cache size to zero which will disable the disk cache entirely. Thanks to Daniel for working on this.

OpenVPN 2.4

IPFire has migrated to OpenVPN 2.4 which introduces new ciphers of the AES-GCM class which will increase throughput on systems that have hardware acceleration for it. The update also brings various other smaller improvements.

Erik has been working on integration this which has required some work under the hood but is compatible with any previous configurations for both roadwarrior connections and net-to-net connections.

Improved Cryptography

Cryptography is one of the foundations to a secure system. We have updated the distribution to use the latest version of the OpenSSL cryptography library (version 1.1.0). This comes with a number of new ciphers and major refacturing of the code base has been conducted.

With this change, we have decided to entirely deprecate SSLv3 and the web user interface will require TLSv1.2 which is also the default for many other services. We have configured a hardened list of ciphers which only uses recent algorithms and entirely removes broken or weak algorithms like RC4, MD5 and so on.

Please check before this update if you are relying on any of those, and upgrade your dependent systems.

Various packages in IPFire had to be patched to be able to use the new library. This major work was necessary to provide IPFire with the latest cryptography, migrate away from deprecated algorithms and take advantage of new technology. For example the ChaCha20-Poly1305 ciphersuite is available which performs faster on mobile devices.

The old version of the OpenSSL library (1.0.2) is still left in the system for compatibility reasons and will continue to be maintained by us for a short while. Eventually, this will be removed entirely, so please migrate any custom-built add-ons away from using OpenSSL 1.0.2.



These add-ons have been updated: clamav 0.99.4, htop 2.1.0, krb5 1.15.2, ncat 7.60, nano 2.9.4, rsync 3.1.3, tor, wio 1.3.2

Michael Tremer

IPFire 2.19 - Core Update 119 is available for testing
by Michael Tremer, February 26

Hello Community,

it is time for another Core Update that updates the toolchain of the distribution as well as a number of smaller bug and security fixes. Therefore this update is another one of a series of general housekeeping updates to make IPFire better, faster and of course more secure!

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Toolchain Updates

The toolchain is a collection of programs that is used to build the distribution. One of the most important one is the compiler GCC which has been updated to version 7.3.0 which mainly adds support for retpoline. This is needed to build protection against Spectre into newer kernels.

The main C library, glibc, has been updated to version 2.27 and brings various stability fixes, performance improvents and bug fixes.

Other toolchain packages that have been updated: binutils 2.30, ccache 3.4.1, diffutils 3.1.6, swig 3.0.12

Security-Relevant Changes



The following packages have been updated: asterisk 13.18.5, bacula 9.0.6, bwm-ng 0.6.1-f54b3fa, flac 1.3.2, haproxy 1.8.0, nginx 1.13.7, nut 2.7.4, openvmtools 10.2.0, postfix 3.2.4, powertop 2.9, sarg 2.3.11, stunnel 5.44

These packages have been dropped and will be removed with this Core Update: lcr, mysql which was very outdated and is not needed by any add-ons.

Hottest posts 2018 2017 2016 2015 2014 2013 2012 2011