IPFire: a Free Linux distribution which acts as a router and firewall

Image by Stuart Miles / freedigitalphotos.net *

Image by Stuart Miles / freedigitalphotos.net

IPFire is a free Linux distribution which acts as a router and firewall in the first instance. It can be maintained via a web interface. The distribution furthermore offers selected server-daemons and can easily be expanded to a SOHO-server.

IPFire is based on Linux From Scratch and is, like the Endian Firewall, originally a fork from IPCop. Since Version 2, only IPCop’s web interface is used.

The modular design enables the user to create a tailor-made system fitting his needs. This can either be a very small system, which can be run on old hardware like a first-generation Intel Pentium, or a SOHO-System with an up-to-date multiprocessor. IPFire caters to users not overly familiar with networking and server services. IPFire ships with an extensive package management utility (Pakfire) which allows the base system to be extended by various addons. The package manager also enables updates to address security issues. (1) (emphasis added)

***

IPFire 2.15 – Core Update 79 is finally arriving with many bug fixes and enhancements. Among the big changes with this update are lots feature enhancements that massively increase the security level of OpenVPN connections, some enhancements of the web user interface and a lot more awesome stuff under the hood.

OpenVPN

The OpenVPN capabilities have been massively extended by Erik Kapfer:

Certificate Authorities

The certificate authority that can be created on the OpenVPN page now uses much better hashes to protect the integrity of itself. The CA root certificate uses a SHA512 hash and a RSA key with length of 4096 bit. All new created host certificates use a RSA key with 2048 bit length and a SHA256 hash.

Additionally, a set of Diffie-Hellman parameters can be generated for better protection of the session keys. The length of the pregenerated DH parameters can be chosen in the web interface.

Ciphers

The cipher that is used for each net-to-net connection can be changed now to for example take benefit of hardware crypto processors. To the list of already supported ciphers came SEED.

(…) 

HMAC/Hashing
IPFire Logo - Public Domain by Halit YEŞİL / wikipedia

IPFire Logo – Public Domain by Halit YEŞİL / wikipedia

To ensure that the transmitted data has not been altered on the way from sender to receiver a hash function is used. This hash is now configurable with a couple of options: SHA2 (512, 384 and 256 bit), Whirpool (512 bit) and SHA1 (160 bit).

To mitigate DoS attacks against the OpenVPN server, the tls-auth option can be enabled which uses a HMAC function that lets the server very quickly decide if a packet is coming from a legitimate sender and needs to be decrypted (which is a very costly operation) or if it is just some spoofed data sent to slow down the server. In the latter case the HMAC does not match and the packet can be discarded right away.

All this may sound a bit complicated, but in the end the OpenVPN feature is usable just in the same and easy way as you know it in IPFire. Everything described here works under the hood and gives you better protection for your data.

Kernel Update

The Linux kernel running inside IPFire has been updated to version 3.10.44 which adds better support for some hardware, comes with lots of stability fixes and closes some security issues. The vendor drivers for Intel network adapters have been updated, too.

One of the most significant changes is that the system now uses the PCIe ASPM configuration from the BIOS. The former option was to save as much power as possible which may lead to instabilities with some PCIe periphery. It is now possible to easily configure the desired operation mode in the BIOS of the system.

Various changes have been applied to the Xen image so installing IPFire on para-virtualized systems runs much more smoothly now. (2) (emphasis added)

  • Read complete article HERE

Note from Michael Tremer: “It would help us a lot if more people would engage in testing new releases and support our efforts. You can do that by donating or in various other ways.”

© 2014 – IPFire is free software

References:

  1. http://en.wikipedia.org/wiki/IPFire
  2. http://www.ipfire.org/news/ipfire-2-15-core-update-79-released

*** More articles and videos from CanadaNewsLibre HERE !

Disclaimer: The views expressed in this article are the sole responsibility of the author(s) and do not necessarily reflect those of CanadaNewsLibre. The contents of this article are of sole responsibility of the author(s). CanadaNewsLibre will not be responsible or liable for any inaccurate or incorrect statements. The CNL grants permission to cross-post original CanadaNewsLibre articles and videos on community internet sites as long as the text & title are not modified. The source and the author’s copyright must be displayed. canadanewslibre.com may contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to our readers under the provisions of “fair use” in an effort to advance a better understanding of political, economic and social issues. The material on this site is distributed without profit to those who have expressed a prior interest in receiving it for research and educational purposes. If you wish to use copyrighted material for purposes other than “fair use” you must request permission from the copyright owner.

ↄ⃝  Copyleft CanadaNewsLibre 2014

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s