The IPFire project has released Core Update 197, a significant stable update to its hardened Linux firewall distribution. This release introduces a complete overhaul of its OpenVPN implementation by upgrading to version 2.6.14 and shifts to a power-saving CPU frequency governor by default, aiming to enhance security and reduce energy consumption without sacrificing performance.
OpenVPN 2.6 Modernizes VPN Stack
The move to OpenVPN 2.6 modernizes the VPN stack by introducing cipher negotiation, which replaces static cipher configurations in new installations. The update also removes support for compression to mitigate potential attack vectors and changes the network topology to assign a single IP address per client, effectively quadrupling the capacity of address pools. Client configuration has been streamlined into a single embedded file, dropping the previous ZIP container for easier deployment.
Performance and Kernel Hardening
At its core, the system is now based on Linux kernel 6.12.41, which includes new mitigations for Transient Scheduler Attacks. A major performance change makes power-saving CPU governors the new default. “Where supported, we will use Intel P-State or otherwise fall back to the new schedutil governor which has proven not to increase any packet forwarding latency in our benchmarks,” said Michael Tremer. He noted that clocked-down systems will reduce power consumption and lower heat emissions. The cpufrequtil package has been consequently removed.
Recommended: 50 Best Linux Hardening Security Tips: A Comprehensive Checklist
New Tools and Usability Enhancements
Core Update 197 adds several new capabilities. Administrators can now emulate a TPM 2.0 device, a requirement for running Windows 11 virtual machines. The arpwatch utility has been added to send email alerts for new hosts detected on local networks. For usability, the web interface now supports restoring backups larger than 2 GB, and WireGuard can import configurations using Windows line breaks. A boot-time race condition affecting network interfaces has also been fixed.
Comprehensive Package Refresh
The update is rounded out by a comprehensive refresh of core packages and add-ons. Key updates include Suricata 7.0.11, OpenSSL 3.5.1, strongSwan 6.0.2, Samba 4.22.3, and Zabbix 7.0.16 LTS, ensuring the entire distribution is secure and current.
You can get IPFire 2.29 Core Update 197 now. For new installations, download the x86_64 or AArch64 ISO/USB images from the official website. Upgrade existing systems directly using the built-in update function. See the official release announcement for the full details.
