IPFire Hardened Open-Source Linux Firewall Is Now Powered by Linux Kernel 5.15 LTS

IPFire Kernel 5.15

The IPFire Project released a new update to their popular IPFire hardened open-source Linux-powered firewall distribution based on the latest long-term supported Linux 5.15 kernel series.

IPFire 2.27 Core Update 164 is here as the first release of the IPFire Linux firewall to be powered by the Linux 5.15 LTS kernel series, which is supported until October 2023. As you can expect, the new kernel improves compatibility with newer hardware components, adds security and bug fixes, enables virtualization support with libvirt and KVM, and improves the performance of cryptographic operations on the AArch64 (ARM64) architecture.

IPFire maintainer Michael Tremer reports that the Linux 5.15 LTS kernel included in the IPFire 2.27 Core Update 164 release is patched against the recently disclosed “Dirty Pipe” vulnerability. In addition to the new kernel version, IPFire 2.27 Core Update 164 also ships with the latest Intel microcode firmware for x86 processors to address two critical security issues.

The new IPFire release enables hashing support of passwords for system accounts using the YESCRYPT password-based key derivation function (KDF) and password hashing scheme, adds a new method of source routing validation by rejecting any packets from systems that the firewall can’t reach according to its own routing table, and adds support for dropping of “hostile” traffic in the IPFire Location Database.

“Our IPFire Location Database contains a list of networks that are considered “hostile” – a network nobody under any circumstance wants to communicate with at all like bullet-proof internet service providers or stolen/hijacked address space. This is enabled by default on new installations, but left disabled in this update. We strongly recommend for everyone to enable this on the Firewall Options page,” said Michael Tremer.

Among other noteworthy changes, IPFire 2.27 Core Update 164 removes the Shalla Secure Services and MESD blacklists from the URL Filter feature, updates the Pakfire components to better display its status on the web interface while installing updates or packages, and adds a new qemu-ga package for better integration with the hypervisor on KVM-based virtualized environments.

Last but not least, it adds additional logging on the RED interface to prevent spoofing attempts, enables logging of packets that aren’t recognized by the connection tracking, adds the ability for users to monitor any firewall hits from spoofing in the graphs, improves Tor relay connections, and updates many core components and add-ons.

As usual, you can download the latest IPFire release from the official website or by clicking on the direct download link below. USB and ISO images are provided for 64-bit (x86_64) and AArch64 (ARM64) architectures.

Image credits: IPFire Project (edited by Marius Nestor)

Last updated 7 months ago