Michael Tremer

IPFire 2.19 - Core Update 120 is available for testing
by Michael Tremer, April 5

IPFire 2.19 – Core Update 120 is available for testing and we are excited that it is packet with a large number of features! They will increase security of the entire system, increase performance of some cryptographic operations as well as fixing a number of smaller bugs.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

RAM-only Proxy

In some installations it might be desirable to only let the proxy cache objects in memory and not on disk. Especially when Internet connectivity is fast and storage is slow this is most useful.

The web UI now allows to set the disk cache size to zero which will disable the disk cache entirely. Thanks to Daniel for working on this.

OpenVPN 2.4

IPFire has migrated to OpenVPN 2.4 which introduces new ciphers of the AES-GCM class which will increase throughput on systems that have hardware acceleration for it. The update also brings various other smaller improvements.

Erik has been working on integration this which has required some work under the hood but is compatible with any previous configurations for both roadwarrior connections and net-to-net connections.

Improved Cryptography

Cryptography is one of the foundations to a secure system. We have updated the distribution to use the latest version of the OpenSSL cryptography library (version 1.1.0). This comes with a number of new ciphers and major refacturing of the code base has been conducted.

With this change, we have decided to entirely deprecate SSLv3 and the web user interface will require TLSv1.2 which is also the default for many other services. We have configured a hardened list of ciphers which only uses recent algorithms and entirely removes broken or weak algorithms like RC4, MD5 and so on.

Please check before this update if you are relying on any of those, and upgrade your dependent systems.

Various packages in IPFire had to be patched to be able to use the new library. This major work was necessary to provide IPFire with the latest cryptography, migrate away from deprecated algorithms and take advantage of new technology. For example the ChaCha20-Poly1305 ciphersuite is available which performs faster on mobile devices.

The old version of the OpenSSL library (1.0.2) is still left in the system for compatibility reasons and will continue to be maintained by us for a short while. Eventually, this will be removed entirely, so please migrate any custom-built add-ons away from using OpenSSL 1.0.2.



These add-ons have been updated: clamav 0.99.4, htop 2.1.0, krb5 1.15.2, ncat 7.60, nano 2.9.4, rsync 3.1.3, tor, wio 1.3.2

Michael Tremer

IPFire 2.19 - Core Update 119 is available for testing
by Michael Tremer, February 26

Hello Community,

it is time for another Core Update that updates the toolchain of the distribution as well as a number of smaller bug and security fixes. Therefore this update is another one of a series of general housekeeping updates to make IPFire better, faster and of course more secure!

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Toolchain Updates

The toolchain is a collection of programs that is used to build the distribution. One of the most important one is the compiler GCC which has been updated to version 7.3.0 which mainly adds support for retpoline. This is needed to build protection against Spectre into newer kernels.

The main C library, glibc, has been updated to version 2.27 and brings various stability fixes, performance improvents and bug fixes.

Other toolchain packages that have been updated: binutils 2.30, ccache 3.4.1, diffutils 3.1.6, swig 3.0.12

Security-Relevant Changes



The following packages have been updated: asterisk 13.18.5, bacula 9.0.6, bwm-ng 0.6.1-f54b3fa, flac 1.3.2, haproxy 1.8.0, nginx 1.13.7, nut 2.7.4, openvmtools 10.2.0, postfix 3.2.4, powertop 2.9, sarg 2.3.11, stunnel 5.44

These packages have been dropped and will be removed with this Core Update: lcr, mysql which was very outdated and is not needed by any add-ons.

Michael Tremer

IPFire 2.19 - Core Update 118 is almost there
by Michael Tremer, February 6

Hello Community,

the next Core Update 118 is almost there. We have no major new bugs left any more and it is good to go. But before our release engineering team pulls the trigger and is releasing this for everyone of you, we would like to make you aware again that a number of add-on packages has been discontinued and will automatically be uninstalled when Core Update 118 is installed. Those are:

PHP is being removed for security reasons and for more and more of the software that we ship becoming independent from it. If you have installed any custom applications that use PHP, please move them to another machine.

We are sending you this deprecation announcement to give you some extra time to prepare for the upcoming changes in case you have missed them from the pre-announcement of this Core Update.

Michael Tremer

IPFire 2.19 - Core Update 118 is available for testing
by Michael Tremer, January 29

Hello community,

the next Core Update for IPFire is now ready for testing and will be released soon. Please support is with that to provide you with a number of security and bug fixes as well as some new features.

Thanks for the people who contributed to this Core Update by submitting their patches and please help us to support everyone’s work with your donation!

Spring Clean

It is the time of the year where we reviewed large parts of the distribution and decided to drop support for various packages and add-ons that cannot be maintained any more:

Most importantly, this Core Update drops support for PHP and therefore various add-ons that rely on it. We have taken that decision some while ago without any objections and first dropped all add-ons that are not supported and updated by their respective authors and maintainers. That left us with only one package that needed PHP but also be installed anywhere else.

PHP is a huge problem to maintain and does not really have a place on a firewall in 2018. Our web user interface is entirely independent and since we value security more than anything else, we have decided to drop support for PHP with this Core Update.

If you have anything installed manually that requires PHP, please move it to another web server before installing this Core Update.

Add-ons that have also been dropped: cacti, openmailadmin, phpSANE, nagios because icinga is available, nagiosql, mediatomb, owncloud


This Core Update originally contained the microcode updates that Intel has now pulled from public release. Since they make the system very unstable and cause random reboots and reportedly can render some systems unbootable, we decided to remove them from the update again.

So far due to the hardening Meltdown exploits do not work on IPFire although this still is a hardware bug and software can only be modified to mitigate this massive problem. Over the coming days and weeks we will continue to work on providing a solution that mitigates all problems, but so far we are not in a position to have patches for Linux that fix them all and are at the same time complete and stable enough to be released.

Security Improvements

Update Accelerator Improvements

Justin Luth has contributed fixes and improvements for the Update Accelerator which has sometimes re-downloaded files with special characters in the URL (#10504).

He has also improved caching of Microsoft updates which is now based on a checksum of the update file (#11558).



New Add-ons
Hottest posts 2018 2017 2016 2015 2014 2013 2012 2011