The IPFire project has announced the availability of a new release candidate for its firewall system. It is called IPFire 2.29 – Core Update 201which can now be downloaded and tested, and includes one of the most anticipated features by its community: its own integrated DNS firewall.
This update, in addition to the major new feature, comes with a massive update of your toolchain (toolchain), dozens of updated packages, and improvements across the entire system base. As this is a beta version, the developers invite users with non-production machines to test it and report issues to help refine the stable release.
IPFire 2.29 Core Update 201: Goodbye to URL filtering, hello DNS Firewall
The highlight of this version is, without a doubt, the new DNS FirewallThis feature transforms IPFire from a simple network guardian into an active threat eliminator. It works transparently: it sits within the DNS proxy and evaluates each query against the DBL blocklist (maintained and updated by the project) before the response reaches the client. If a domain is blocked, the client receives an NXDOMAIN response, as if the domain didn't exist, preventing any malicious connections.
The advantages are remarkable. The DNS Firewall completely replaces This eliminates the need for the old URL Filter (which required complex configuration on clients) and external solutions like Pi-hole. Because it's integrated into the firewall, it requires no additional hardware or configuration on network devices, and it leverages the fact that all DNS traffic already passes through IPFire. Blocklist updates are delivered via IXFR (Incremental DNS Zone Transfers) directly to the proxy, ensuring automatic and efficient hourly updates.
In addition to this flagship feature, update 201 includes a long list of improvements:
- Intrusion Prevention System (IPS): Now allows you to configure different recipients for daily, weekly, and monthly reports.
- RISC-V Architecture: The kernel configuration for experimental compilation on these devices has been updated.
- Network Installer: Allocates more disk space when booting from the network to accommodate the larger size of the ISO.
- Cleanup: Obsolete Rust packages and the `7zip` add-on (due to lack of maintenance) have been removed, reducing the attack surface.
- Toolchain update: The system base has been updated with glibc 2.43 and GNU binutils 2.46.0, improving hardware support and overall security.
- Updated packages: New versions of essential components are included, such as OpenSSL 3.6.1, OpenVPN 2.6.19, BIND 9.20.20, Samba 4.23.5, and many others. The complete list also includes iptables, vim, git, nano, and archiving tools.
This is an opportunity for the community to contribute by testing the new functionality and reporting any problems on the official forum or the project's issue tracker.