IPFire Releases Major Update: Core Update 200 Marks a New Milestone
The open-source network firewall distribution, IPFire, has released Core Update 200, a significant milestone as it marks the 200th incremental update to the 2.29 branch. This release is set to enhance the security and performance of the system, incorporating a series of crucial updates, including a kernel upgrade, a beta domain blocklist service, security patches for critical libraries like OpenSSL and glibc, and several component updates that contribute to the overall robustness of the platform.
The latest update sees the kernel rebased on Linux 6.18.7 LTS, introducing substantial hardware security mitigations that will improve the network’s throughput and latency. Notable changes include the deprecation of ReiserFS support, which means installations operating on that filesystem will need to reinstall on a supported filesystem to apply this update successfully.
Introduction of IPFire DBL
Among the new features is the debut of the IPFire Domain Blocklist (DBL), a service developed to replace the now-retired Shalla list that had previously served as the backbone for the web proxy’s filtering capabilities, targeting malware, social networking sites, and adult content. The DBL will be accessible through two avenues: as a URL filter for proxy-based blocking and as a source for Suricata rules. This integration allows for deep packet inspection across a variety of connections, including DNS, TLS, HTTP, and QUIC, enhancing the firewall’s capability to maintain a secure environment.
IPFire’s project team has described DBL as currently being in beta, inviting community feedback to refine the product further. Future milestones for the project include developing a DNS firewall with native content filtering capabilities.
Enhancements to Suricata and IPS
Recent updates have addressed issues within Suricata, including a bug from a previous version release that caused the pre-compiled signature cache to grow uncontrollably, consuming significant disk space. A backported patch now enables Suricata to automatically clean up unused signatures. Additionally, changes to the Suricata reporter will improve alert clarity, surfacing hostname information and extra protocol metadata for DNS, HTTP, TLS, and QUIC connections. This enhancement will be instrumental for administrators, as they will receive more context when investigating potential policy violations.
Adjustments in OpenVPN Configuration
In another significant update, several behaviors in OpenVPN client configurations have been modified. Previously static MTU values will now be pushed from the server, granting administrators greater flexibility to adjust them post-deployment. Furthermore, one-time password (OTP) authentication tokens will likewise be served from the server when OTP is enabled. The update also removes the CA certificate from client configuration files to mitigate import failures in NetworkManager, as this certificate is now included in the PKCS12 container.
Improvements to DNS Proxy and Wireless Access Point
The DNS proxy component, Unbound, has received a performance enhancement by switching to a multi-threaded model; it will now utilize one thread per CPU core instead of operating on a single thread. This change is expected to significantly reduce response times under heavy load, increasing efficiency across systems.
Also addressed were bugs related to wireless access points. The support for 802.11a/g has been restored, as it had been unintentionally dropped in a previous release. Furthermore, fixes have been implemented to alleviate excessive logging by hostapd during debugging, and improvements have been made to accept Pre-Shared Key (PSK) values that contain special characters.
Critical Security Patches
Security remains a top priority in this update, with OpenSSL being upgraded to version 3.6.1 to patch twelve critical vulnerabilities, including CVE-2025-11187, CVE-2025-15467, and others. The glibc library also received substantial patches addressing CVEs such as CVE-2026-0861 and CVE-2025-15281.
Updated Component Versions
This release features notable updates to various core components of IPFire, including Apache 2.4.66, BIND 9.20.18, cURL 8.18.0, OpenVPN 2.6.17, strongSwan 6.0.4, Suricata 8.0.3, Unbound 1.24.2, ClamAV 1.5.1, Samba 4.23.4, and Tor 0.4.8.21.
In conclusion, IPFire’s Core Update 200 provides vital enhancements in security and functionality. By introducing new tools and improving existing components, the project aims to strengthen its user base’s confidence while reinforcing its commitment to open-source cybersecurity solutions. As an open-source platform, IPFire continues to harness community contributions to refine and enhance the system, ensuring it remains a viable choice for network security.