The arrival de IPFire 2.29 – Core Update 200 This marks a turning point in the evolution of this open-source firewall and router distribution. It's a major update that introduces a modern kernel, strengthens security, improves network performance, and refreshes a large number of packages and plugins. Furthermore, it adds cutting-edge technologies such as WiFi 7 and advanced network discovery support.
This Core Update is not limited to “minor patches”; it is a version loaded with structural changesA new domain blocklist system (IPFire DBL), significant improvements to Suricata and the IPS reporting system, major changes to OpenVPN, a more robust proxy against recent vulnerabilities, native support for LLDP/CDP, and a long list of updated libraries and tools. All while maintaining IPFire's focus on stability, security, and ease of administration through the web interface.
IPFire 2.29 Core Update 200: New IPFire kernel and platform changes
One of the cornerstones of this release is the IPFire kernel update. The main system branch has been overtaken Linux 6.18.x LTSThis brings a wave of improvements in security, performance, and hardware compatibility. The 6.18 LTS line includes accumulated stability fixes, current security patches, and optimizations that reduce latency and improve packet filtering performance—especially relevant in high-traffic scenarios or those with many firewall and NAT rules.
The new kernel brings general improvements in network performanceIt offers higher throughput, lower latency, and more advanced packet filtering capabilities. It also integrates the latest mitigations against recent hardware vulnerabilities, strengthening protection against attacks that exploit flaws in modern CPUs. This is crucial in environments where IPFire is used as a perimeter firewall or in critical infrastructure with high security requirements.
Within this transition there is also an important decision: it has Support for the ReiserFS file system has been removedThe Linux kernel itself has marked this technology as obsolete, and the IPFire project has followed suit. If your current IPFire installation uses ReiserFS, you won't be able to apply Core Update 200 directly. Instead, you'll have to perform a clean reinstall using a supported file system (such as ext4, XFS, or others supported by recent IPFire images). The web interface has been warning users of this for some time, so this restriction isn't entirely unexpected.
IPFire DBL: New domain blocklist in IPFire 2.29 Core Update 200
Since the famous Shalla list became unavailable, IPFire's web proxy had been left without a stable source of domains for filtering malicious content, social media, or adult websites. Given the lack of truly comprehensive and maintained alternatives, the IPFire team has decided to create and maintain its own domain blocklist: IPFire DBL.
IPFire DBL is located in a early beta phaseHowever, it can already be used functionally in two key points of the system:
- Proxy URL filterThe administrator can select IPFire DBL as the source of domains to block. This way, any access passing through the HTTP/HTTPS proxy will be checked against the list, preventing access to categories of potentially dangerous or unwanted sites.
- Integration with Suricata (IPS)With the arrival of IPFire DBL, the project also becomes a rule provider for Suricata. By combining the domain database with deep packet inspection (DNS, TLS, HTTP, QUIC), the IPS can more thoroughly block connections to prohibited domains, even when they bypass the traditional proxy.
Although the database is still growing, the intention is to offer IPFire users a robust, up-to-date, and specifically designed blocklist to integrate with the firewall ecosystem. The team encourages the community to test it, report problems, and provide suggestions for refining it in future versions, where significant improvements and new capabilities are expected.
IPFire 2.29 Core Update 200 introduces improvements to the intrusion prevention system (IPS)
The Suricata-based IPS is receiving a series of significant changes aimed at improving the performance, reliability, and usefulness of its reports. A previous update introduced the ability to store the precompiled signatures in cache to speed up Suricata's loading. However, that cache could grow uncontrollably and take up too much disk space.
To correct this behavior, Core Update 200 incorporates a Patch that allows Suricata to automatically remove unused signaturesThis maintains the benefit of fast boot times without compromising long-term storage, which is crucial for devices with small disks or dedicated appliances.
The reporting component (suricata-reporter) has also been expanded: now, for alerts related to DNS, HTTP, TLS or QUICAdditional information, such as the hostname and other relevant details, is added. This information appears in both alert emails and PDF reports, helping administrators more accurately investigate potential security incidents or corporate policy violations.
In addition to these changes, a recent update close to Core Update 200 introduced Improvements in the management of the IPS in the event of failuresOn systems with limited memory, it was observed that if Suricata crashed or was terminated by the system to free up RAM, the firewall could be left more open than desired, exposing internal services. Although no actual attacks exploiting this behavior were observed, it was considered a significant security risk.
To mitigate this, there is now a vigilant process that supervises the IPS and restarts it if it detects an unexpected drop. Traffic marked as "whitelisted" is no longer sent to the IPS for exclusion: it is skipped directly in the iptables chain, optimizing performance and reducing complexity. The ability to filter IPsec traffic has also been added; previously, this traffic was excluded from IPS analysis except in a few specific cases, and can now be inspected whenever it is routed through the configured interfaces.
A new feature has been incorporated into the IPS web interface new performance chart This shows the processed traffic divided into three categories: scanned traffic (incoming and outgoing), whitelisted traffic, and bypass traffic. This provides a clear view of the actual IPS usage and allows for more informed rule and policy adjustments.
OpenVPN: Changes in configuration and authentication
The OpenVPN module in IPFire receives a significant set of tweaks to make client and server configuration more flexible and aligned with current best practices. Starting with this version, the Client configuration files no longer include the fixed MTU valueInstead, the server will "push" the appropriate MTU to each client, allowing the administrator to change this value without having to regenerate all user configurations. It's worth noting that some very old clients may not fully understand this behavior.
If two-step authentication with OTP is used, the A one-time token is now being sent from the server. when the client has OTP enabled. This centralizes the logic on the server side, avoiding inconsistencies and simplifying the management of temporary credentials.
Furthermore, customer profiles no longer include the Certification authority (CA) embedded outside the PKCS#12 containerPreviously, this could cause problems when importing connections with tools like NetworkManager from the command line, due to duplicate certificates. Since the CA is now included in the PKCS#12 file, this redundancy has been eliminated to simplify the process and prevent errors.
More settings have been added to the "roadwarrior" server configuration. When an OpenVPN server continues to use ciphers considered legacyIPFire now highlights this to warn the administrator that migrating to more modern suites would be advisable. It also allows pushing multiple DNS and WINS servers to clients, which is very useful in complex networks where several internal domains or specific name servers coexist.
The OpenVPN server is now working always in multi-home modeThis makes sense in a firewall with multiple interfaces. It ensures that the server responds to clients using the same IP address they originally connected to, even if the machine has multiple outbound paths to the internet or internal networks. A bug that prevented the first custom route defined for clients from being pushed correctly has also been fixed, and the OTP authentication flow has been improved to prompt the client to complete the second factor if it gets stuck.
Finally, the policy has been removed from the client configurations auth-nocache, As its The actual effect was practically nil In practice, this created a false sense of security. With these changes, OpenVPN in IPFire is now more in line with current best practices and makes life easier for administrators.
WiFi 7 and WiFi 6: a generational leap in wireless networks
One of the most striking aspects of this update is that IPFire finally take full advantage of the capabilities of WiFi 7 (802.11be) and WiFi 6 (802.11ax) for its role as a wireless access point. Although the hardware could already function before, the new features of these standards are now exposed and properly managed.
In the wireless settings you can choose the Preferred WiFi mode and let IPFire handle the rest. The system adds full support for 802.11be and 802.11ax, along with the already supported 802.11ac/agn modes. This includes the use of channels up to 320 MHz, enabling bandwidths of over 5,7 Gbps with two spatial streams or up to approximately 11,5 Gbps with four streams, all wirelessly. These figures obviously depend on the hardware and radio environment, but the support is there and ready to take full advantage of the latest generation of equipment.
IPFire now automatically detects the advanced WiFi hardware capabilitiesWhat was previously configured manually as “HT Capabilities” and “VHT Capabilities”—a tedious and error-prone process—is now managed internally. The system automatically enables all the features supported by the device (MU-MIMO, wide channels, etc.), resulting in more stable, faster, and easier-to-manage wireless networks.
In environments where WPA2 or even WPA1 are still in use, IPFire now allows the use of SHA256 in the authentication process To strengthen the handshake for clients that cannot work with WPA3. In addition, SSID protection is enabled by default: if protected management frames (802.11w) are being used, the system automatically enables beacon protection and operational channel validation, hindering certain attacks that manipulate network signaling.
To improve air efficiency, the multicast packets are converted to unicast This is the default setting when the network consists primarily of modern, high-speed clients. This technique reduces airtime wasted on traditional multicast traffic and improves the overall experience, especially in dense networks. If the hardware allows, radar detection (required for DFS in certain bands) is performed in the background, preventing any noticeable disruption to the Wi-Fi service.
Although the web interface form hasn't changed radically, most of the magic happens behind the scenes, optimizing parameters and maximizing hardware performance. The Lightning Wire Labs appliances that integrate IPFire These capabilities are activated automatically.so users of those devices will see the improvements without having to touch the settings much.
Support for LLDP and Cisco Discovery Protocol
Core Update 200 natively incorporates support for Link Layer Discovery Protocol (LLDP) and Cisco Discovery Protocol version 2 (CDPv2)These protocols allow IPFire to "advertise" and discover devices at layer 2 level on directly connected segments, which is very useful in complex network infrastructures.
Thanks to LLDP/CDP, the firewall can identify which switch ports is it connected toConversely, switches and monitoring tools can clearly see IPFire's location on the network map. This integrates seamlessly with platforms like Observium and other network mapping and monitoring systems, simplifying the management of large environments with numerous VLANs, trunk links, and distributed equipment.
The functionality is activated and configured from the web interface, in the Network → LLDP sectionwhere you can decide which interfaces the protocol is enabled on, what information is advertised, and how the data is integrated with the rest of the network configuration.
DNS, PPP and other core services in IPFire 2.29 Core Update 200
IPFire's Unbound-based DNS proxy has also received a significant upgrade. Instead of running in single-threaded mode, Unbound now launches one thread per CPU coreThis allows you to take advantage of the multi-core processors so common nowadays and reduce DNS response times under load, which is noticeable in environments with many clients or many simultaneous requests.
In PPP access connections (such as some DSL, 4G, or 5G lines), IPFire adjusts the sending of LCP keep-alive packets to Only issue them when there is no real traffic on the lineThis small change slightly reduces the load on the connection, which is especially appreciated on mobile links with more limited resources or strict data limits.
A visual detail has been fixed in the administration interface: The DNS page now consistently displays the following legend: of the represented elements, avoiding confusion when interpreting the status of the servers, resolutions or configured working modes.
Web proxy and recent security
The HTTP/HTTPS proxy component has received security-focused changes. A specific mitigation against vulnerability CVE-2025-62168 within the proxy configuration, strengthening protection against attack patterns related to that CVE. This way, users of IPFire's transparent or authenticated proxy benefit from additional measures without having to manually modify configuration files.
A race condition in the URL filter processUnder certain circumstances, while compiling the filtering databases, the process could be abruptly terminated, causing temporary failures or inconsistencies. With the fix included in Core Update 200, the compilation of the lists is performed more robustly, minimizing the risk of the filtering process becoming inoperative during updates.
Web interface and administration experience
The IPFire web interface has undergone several usability improvements and bug fixes. A problem in the [section name missing] has been resolved. firewall that prevented the creation of new location groups, a very useful function for grouping countries or regions and applying rules based on geolocation.
In the hardware vulnerabilities section, the message displayed when the system does not supports SMT (Simultaneous Multithreading)clarifying for the administrator why certain mitigations or security states appear in one way or another. Additionally, a bug in the email module has been fixed whereby credentials with certain special characters They could become "corrupted" when stored, causing authentication errors with external mail servers.
Security updates: OpenSSL, glibc and more
In terms of critical libraries, OpenSSL is updated to version 3.6.1 and multiple vulnerabilities are patched, including CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. This cascade of CVEs gives an idea of the cryptographic hardening workload which is included in this version.
The glibc standard library has also been patched against several relevant vulnerabilities: CVE-2026-0861, CVE-2026-0915 and CVE-2025-15281As it is a central component of the entire system, keeping it updated and corrected is essential to reduce the attack surface and ensure that applications benefit from the latest fixes.
Major update to core packages and components
Core Update 200 brings a flood of updated packages. Among the most notable are: Apache 2.4.66, bash 5.3p9, BIND 9.20.18, coreutils 9.9, cURL 8.18.0, dhcpcd 10.3.0, elinks 0.19.0, glib 2.87.0, GnuPG 2.4.9, GnuTLS 3.8.11 and many other graphics and system libraries such as harfbuzz 12.3.0, hwdata 0.403, iana-etc 20251215, intel-microcode 20251111 or libarchive 3.8.5.
They are also updated libcap-ng 0.9, libgpg-error 1.58, libidn2 2.3.8, libjpeg 3.1.3, libpcap 1.10.6, libplist 2.7.0, libpng 1.6.53, libtasn1 4.21.0, liburcu 0.15.5, libxcrypt 4.5.1as well as volume and RAID management tools such as LVM2 2.03.38 and mdadm 4.5. New versions of memtest (8.00), meson (1.10.1), newt (0.52.25), ninja (1.13.2), oath-toolkit (2.6.13), OpenVPN (2.6.17), OpenSSL (3.6.1 in the base stack), SQLite (3.51.100), tzdata (2025c), readline (8.3p3), strongSwan (6.0.4), suricata (8.0.3), suricata-reporter (0.6), Rust (1.92.0), Unbound (1.24.2), wireless-regdb (2025.10.07), vim (9.1.2098) and xz (5.8.2) are included.
As for add-ons, they have been updated alsa 1.2.15.3, ClamAV 1.5.1, dnsdist 2.0.2, fetchmail 6.6.0, gdb 17.1, Git 2.52.0, fort-validator 1.6.7, freeradius 3.2.8, libtpms 0.10.2, opus 1.6.1, postfix 3.10.6, samba 4.23.4, strace 6.18, tmux 3.6a, Tor 0.4.8.21 and tshark 4.6.3Taken together, this update package provides security improvements, support for new protocols, compatibility with modern hardware, and bug fixes distributed across the entire stack.
Featured add-ons: arpwatch, ffmpeg, and others
Among the additional features included with IPFire, the following stand out: arpwatch as a new add-onThis tool monitors MAC addresses on the network and can alert you to suspicious changes (for example, when an IP address is associated with a different MAC address). The included version corrects an issue with the sender envelope in emails, which caused some mail servers to reject messages. Now, a correct sender address is sent, and MAC addresses are always displayed with zero padding, improving the readability of the reports.
The package ffmpeg is updated to version 8.0 in the plugin suite. It has been recompiled and relinked against OpenSSL and the LAME library, enabling the recovery of streaming functionality from external sources using HTTPS and MP3 encoding. This facilitates the use of IPFire as an integration point for multimedia solutions that need to play or forward secure content.
Other accessories that are being updated include dnsdist 2.0.1, fetchmail 6.5.7, hostapd with recent revisions (f747ae0), libmpdclient 2.23, mpd 0.24.5, mympd 22.1.1, nano 8.7, openvmtools 13.0.5, Samba 4.23.2, shairport-sync 4.3.7, Tor 0.4.8.19, tshark 4.6.1 and zabbix_agentd 7.0.21 LTSThese versions correct bugs, add support for new features, and adjust compatibility with modern versions of base libraries.
With all these changes, IPFire 2.29 Core Update 200 is consolidated as a mature, secure firewall platform ready for next-generation hardware and standardsFrom WiFi 7 to the latest kernel versions and cryptographic components, IPFire is compatible with a wide range of technologies. Those who already rely on IPFire to protect home or business networks will find in this version a significant leap in performance, network visibility, and filtering capabilities, supported by an active community and a development cycle that continues to incorporate constant improvements in security and support.
