The upcoming release IPFire 2.25 - Core Update 155 is available for testing. It comes with important security fixes for the NAT Slipstreaming attack which might require attention if you are currently using the Application Layer Gateways for SIP or FTP.

Mitigating NAT Slipstreaming

Peter has recently announced our measures against NAT Slipstreaming. Through feedback from the community, we have seen that most people are not affected by these changes.

We are going to disable and remove support for all Application Layer Gateways. This includes SIP, FTP, H.323, IRC, PPTP and TFTP. They will be automatically disabled on systems that install this update and will no longer be available.

Spanning Tree Protocol support in Zone Configuration

The zone configuration allows configuring Spanning Tree Protocol (STP) for bridges. Since it is possible add multiple interfaces to the same bridge, it becomes a danger that loops are being created on the network. STP avoids those by disabling bridge ports when a loop is being detected.

Zone Configuration with STP


  • The wireless client configuration is now processing priorities correctly. Before, wireless networks were prioritised in the opposite order
  • The QoS graphs will now have consistent colours in the downstream and upstream direction
  • The Update Accelerator "Passive Mode" option has been clarified
  • OpenSSL has been updated to 1.1.1j which fixes three security vulnerabilities: CVE-2021-23841, CVE-2021-23839 & CVE-2021-23840
  • New packages: PCRE2, which is an improved version of PCRE, implementing Perl-compatible Regular Expressions
  • Updated packages: attr 2.4.48, autoconf 2.71, bind 9.11.28, freetype 2.10.4, iproute2 5.11.0, ipset 7.11, lcms2 2.12, libgcrypt 1.9.2, libhtp 0.5.37, libffi 3.3, libxcrypt 4.4.17 which replaces libcrypt which came bundled with glibc, lz4 1.9.3, lzo 2.10, mpage 2.5.7, net-tools 2.10, nettle 3.7.1, openssh 8.5p1, Python 3.8.7, qpdf 10.3.0, rust 1.50, sqlite3 3.34.1, squid 4.14, suricata 5.0.6, sysvinit 2.98, tar 1.34, tcl 8.6.11, unbound 1.13.1, wget 1.21.1
  • IPFire can experimentally be compiled for RISC-V for 64bit
  • Various older versions of operating system libraries have been removed. They were needed to keep older programs compatible without need of recompiling them. Those were: Berkeley DB, GMP, libjpeg, PCRE, readline
  • On i586, SSE2-optimised versions of performance-critical libraries have been dropped. This affects GMP and OpenSSL, which might result in lower VPN throughput with OpenVPN on affected systems. Support for this will be removed with the next release of glibc.
  • The unattended installer started in regular mode on serial consoles
  • Roberto Peña has contributed Spanish translation for the Captive Portal


  • Updated packages: elfutils 0.183, hplip 3.21.2, fireperf 0.2.0, krb5 1.19.1, mc 4.8.26, monit 5.27.2, nano 5.6, nagios_nrpe 4.0.3, nagios-plugins 2.3.3, stunnel 5.58, tor, tshark 3.4.3