This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!
Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.
There is a new GUI which will show you for which attacks your hardware is vulnerable and if mitigations are in place.
Because of the recent vulnerabilities in Intel processors, the IPFire team has decided, that - to keep systems as secure as possible - Simultaneous Multi-Processing (SMT) is automatically disabled if the processor is vulnerable to one of the attacks.
SMT is also called Intel(R) Hyper-Threading Technology and simulates more virtual cores than the system has. This allows to perform faster processing when applications benefit from it. Unfortunately with networking, we benefit from that. Therefore the effect of disabling SMT will be a very signifiant performance impact of around 30% or more. Applications that will be affected in IPFire are the firewall throughput itself as well as other CPU and memory-bound tasks like the web proxy and the Intrusion Prevention System. On systems that are not vulnerable for this attack, SMT is being left enabled. If you still want to disable it, please do so in the BIOS of your firewall.
We think that this step is inevitable to keep all IPFire systems secure. The mitigations that have been provided by the Linux kernel developers and the microcode updates that have been provided by Intel are not enough to close this vulnerability. Indeed the underlying hardware is broken and cannot be fixed.