Another update is available for testing: IPFire 2.25 - Core Update 156. As usual for this time of the year, it is a spring clear release that updates lots of software and brings a new exciting feature: Live Graphs.

Please help us testing this release by providing feedback and reporting any new bugs to our bugtracker. You can also support development with your donation.

Live Graphs

Our beautiful graphs are now updating themselves. You can now leave your browser tab open and see bandwidth or CPU usage and everything else always being up to date:

Latency Graph


  • Networking: Interfaces in bridges are now numbered and renamed to mark to which bridge they belong
  • Support for macvtap has been dropped - Please use bridges instead
  • Alexander Marx has fixed a bug where copied firewall rules showed an incorrect source port (#12479)
  • The kernel's BPF JIT hardening has been enabled
  • Instructions helping users to restore their backup correctly have been added
  • Thomas Cekal has contributed a fix for IPFire getting stuck at boot on Hyper-V
  • All alternative themes for the web user interface have been dropped
  • Adolf Belka and Matthias Fischer have updated loads of packages of the core system: acl 2.3.1, attr 2.5.1, bind 9.11.28, bison 3.7.6, bzip2 1.0.8, cmake 3.20, crda 4.14, diffutils 3.7, ed 1.17, gawk 5.1.0, gettext 0.21, gmp 6.2.1, gperf 3.1, grep 3.6, jQuery 3.6.0, libcap 2.49, libloc 0.9.6, libmpc 1.2.1, libnfsidmap 0.27, libpcap 1.10.0, libstatgrab 0.92, libtirpc 1.3.1, mcelog 175, nettle 3.7.2, openssl 1.1.1k, parted 3.4, Perl 5.32.1, perl-Carp-Clan 6.08, perl-Date-Calc 6.4, perl-Date-Manip 6.85, perl-File-Tail 1.3, perl-MIME-Base64 3.16, perl-Net-DNS 1.30, perl-Net-SMTP-SSL 1.04, pigz 2.6, poppler 0.89.0, rust 1.51, strace 5.11, strongswan 5.9.2, sudo 1.9.6p1, swig 4.0.2, sysbench 1.0.20 (no longer available on armv5tel), sysvinit 2.99, zstd 1.4.9


  • Updated packages: clamav 0.103.2, git 2.31.0, monit 5.28.0, mpc 0.33, nfs 2.5.3, libmpdclient 2.19, rpcbind 1.2.5, samba 4.13.7, speedtest-cli 2.1.3, swatch 3.2.4, tcpdump 4.99.0, Tor

The upcoming release IPFire 2.25 - Core Update 155 is available for testing. It comes with important security fixes for the NAT Slipstreaming attack which might require attention if you are currently using the Application Layer Gateways for SIP or FTP.

Mitigating NAT Slipstreaming

Peter has recently announced our measures against NAT Slipstreaming. Through feedback from the community, we have seen that most people are not affected by these changes.

We are going to disable and remove support for all Application Layer Gateways. This includes SIP, FTP, H.323, IRC, PPTP and TFTP. They will be automatically disabled on systems that install this update and will no longer be available.

Spanning Tree Protocol support in Zone Configuration

The zone configuration allows configuring Spanning Tree Protocol (STP) for bridges. Since it is possible add multiple interfaces to the same bridge, it becomes a danger that loops are being created on the network. STP avoids those by disabling bridge ports when a loop is being detected.

Zone Configuration with STP


  • The wireless client configuration is now processing priorities correctly. Before, wireless networks were prioritised in the opposite order
  • The QoS graphs will now have consistent colours in the downstream and upstream direction
  • The Update Accelerator "Passive Mode" option has been clarified
  • OpenSSL has been updated to 1.1.1j which fixes three security vulnerabilities: CVE-2021-23841, CVE-2021-23839 & CVE-2021-23840
  • New packages: PCRE2, which is an improved version of PCRE, implementing Perl-compatible Regular Expressions
  • Updated packages: attr 2.4.48, autoconf 2.71, bind 9.11.28, freetype 2.10.4, iproute2 5.11.0, ipset 7.11, lcms2 2.12, libgcrypt 1.9.2, libhtp 0.5.37, libffi 3.3, libxcrypt 4.4.17 which replaces libcrypt which came bundled with glibc, lz4 1.9.3, lzo 2.10, mpage 2.5.7, net-tools 2.10, nettle 3.7.1, openssh 8.5p1, Python 3.8.7, qpdf 10.3.0, rust 1.50, sqlite3 3.34.1, squid 4.14, suricata 5.0.6, sysvinit 2.98, tar 1.34, tcl 8.6.11, unbound 1.13.1, wget 1.21.1
  • IPFire can experimentally be compiled for RISC-V for 64bit
  • Various older versions of operating system libraries have been removed. They were needed to keep older programs compatible without need of recompiling them. Those were: Berkeley DB, GMP, libjpeg, PCRE, readline
  • On i586, SSE2-optimised versions of performance-critical libraries have been dropped. This affects GMP and OpenSSL, which might result in lower VPN throughput with OpenVPN on affected systems. Support for this will be removed with the next release of glibc.
  • The unattended installer started in regular mode on serial consoles
  • Roberto Peña has contributed Spanish translation for the Captive Portal


  • Updated packages: elfutils 0.183, hplip 3.21.2, fireperf 0.2.0, krb5 1.19.1, mc 4.8.26, monit 5.27.2, nano 5.6, nagios_nrpe 4.0.3, nagios-plugins 2.3.3, stunnel 5.58, tor, tshark 3.4.3

The first update of the year will be an enormous one. We have been working hard in the lab to update the underlying operating system to harden and improve IPFire and we have added WPA3 client support and made DNS faster and more resilient against broken Internet connections.

This is probably the release with the largest number of package updates. This is necessary for us to keep the system modern and adopt any fixes from upstream projects. Thank you to everyone who has contributed by sending in patches.

If you want to help us out, please send us a donation.

DNS Resolution Improvements

The DNS proxy working inside IPFire will now reuse any TLS and TCP connections for DNS resolution making it substantially faster. Before, a TCP or TLS connection had to be opened and closed after a response was received causing a lot of overhead.

Please consider if your setup can run DNS-over-TLS to protect your privcacy.

If you had a brief outage of your Internet connection, or if any or all of the upstream name servers did not respond, it could become possible that the DNS proxy no longer retried accessing them. This was due to some DoS protection being overly ambitious which has been changed to constantly try to reach any servers that are down.

WPA3 Client Support

The previous Core Update added WPA3 support for access points. This is now being complimented by adding it for the client side, too.

If you are running your RED interface as a client to another wireless, it can now use WPA3 to authenticate to the network and to encrypt packets. WPA2 has also been improved by optionally using SHA256 over SHA1 if the access point supports it.


There is a number of various changes in this release:

  • Various command injections and privilege escalations where reported by Albert Schwarzkopf in the security layer between the web user-interface and the operating system. With those, an authenticated unprivileged user could gain root access to the operating system.
  • DDNS: The UI has been improved for providers that support "token authentication"
  • SSH sometimes failed to end itself when the system was shut down which caused an unnecessary delay
  • IPsec: XFRM policy lookup has been disabled for VTI interfaces
  • Keyboard support on virtualised systems on Microsoft Hyper-V was sometimes not working and has now been fixed.
  • Various cosmetic fixes for the web user interface and various code cleanup has been conducted by Matthias and Leo.
  • Updated packages: acl 2.2.53, acpid 2.0.32, automake 1.16.3, arping 2.21, bind 9.11.26, ccache 3.7.12, curl 7.75, dbus 1.12.20, dhcpcd 9.3.4, dma 0.13, fcron 3.2.1, findutils 4.8.0, fuse 3.10.1, hyperscan 5.4.0, iproute2 5.10.0, ipset 7.10, iptables 1.8.7, iw 5.9, less 563, libassuan 2.5.4, libgcrypt 1.9.1, libgpg-error 1.41, libhtp 0.5.36, libloc 0.9.5, libseccomp 2.5.1, logrotate 3.18.0, logwatch 7.5.5, lzip 1.22, kmod 28, knot 3.0.5, newt 0.52.21, OpenSSL 1.1.1j, PAM 1.5.1, pptp 1.10.0, sed 4.8, sqlite 3.34.0, texinfo 6.7, tzdata 2021a, procps 3.3.16, sudo 1.9.5p1, unbound 1.13.0, wget 1.21


  • Updated packages: bacula 9.6.7, bird 2.0.7, c-ares 1.17.1, cifs-utils 6.12, clamav 0.103.1, cups-filters 1.28.7, ddrescue 1.25, dehydrated 0.7.0, elfutils 0.182, fireperf 0.1.0, firmware-update 20210107, flashrom 1.2, hostapd 2021-01-18, hplip 3.20.11, htop 3.0.5, iperf 2.0.14a, iperf3 3.9, kerberos 1.18.3, lvm2 2.02.187, lynis 3.0.3, minicom 2.8, monit 5.27.1, nano 5.5, p7zip 17.03, postfix 3.5.8, samba 4.13.4, screen 4.8.0, shairport-sync 3.3.7, sshfs 3.7.1, strace 5.10, stunnel 5.57, tor, tshark 3.4.2, QEMU 5.2.0, wpa_supplicant 2021-01-18

I hope everyone is doing well during lockdown. For those of you, who have some spare time, we would be glad if you could help us testing the next version of IPFire. It comes with many exciting changes...

Location Database

The location database has received significant updates that improve its accuracy. This was possible by importing more data into it and correlating it with existing data from other sources.

We have also improved performance of loading data from the database into the kernel for firewall rules which removes a class of issues where IP addresses could have matched more than one country.

Many weeks have been invested into this to optimise the database import and export algorithms to provide this functionality even on hardware that is weak on processor power and/or memory.

An Improved Intrusion Prevention System

suricata, the software the IPFire IPS is based on, has been updated to version 6.0.0. Besides stability and performance fixes it brings support for new protocols like HTTP/2, MQTT and RFB. The protocol handling for SSH and the ASN.1 parser have been improved due to being re-implemented in Rust.

Fingerprinting of TLS connections has been added to get more insight into encrypted connections.

Edit: This change has introduced some regressions and has been removed from this Core Update.

WPA3 - Making WiFi Safe Again

WPA3 is the new upcoming standard to protect wireless connections and is now supported in IPFire. It can be enabled together with WPA2 so that you can support any devices that do not support WPA3, yet.

WiFi can also be made more secure by optionally enable Management Frame Protection which hardens the network against any attackers that try to de-authenticate stations and therefore denial-of-service your network.

Another Intel Security Vulnerability

We have of course spent a lot of our valuable development time on this month's security issues created by Intel. As you might have heard from the news, it is possible to profile instructions and extrapolate information through measuring the power consumption of the processor when that instruction is being executed.

We consider this not exploitable on IPFire, because we do not allow running any third-party code, but are of course shipping fixes in form of a patched Linux kernel based on 4.14.212 and updated microcode where available for all affected processors (version 20201118).


  • The most recent OpenSSL security vulnerability CVE-2020-1971 has been patched by updating the package to version 1.1.1i
  • Safe Search now allows excluding YouTube
  • The zone configuration page now highlights network devices that are assigned to a zone. This change improves usability and avoids any mistakes
  • IPsec tunnels are now showing correctly when they are established or not. A programming error could show connected tunnels as "connecting..." before.
  • The log summary no longer shows useless entries for clients that have renewed their DHCP lease and the iptables summary has been removed, since it does not produce any useful output
  • The IP address information page is now showing the Autonomous System for each IP address
  • Some cosmetic improvements for the web user interface have been implemented by Matthias Fischer.
  • On systems with insufficient memory, some pages of the web user interface could not be loaded when they were using the new location library. Thanks to Bernhard Bitsch for reporting this problem.
  • DDNS: Support for DuckDNS has been reinstated after a significant API change
  • Updated packages: bash 5.0.18, curl 7.73.0, file 5.39, go 1.15.4, knot 3.0.2, libhtp 0.5.63, openvpn 2.5.0, pcengines-firmware, strongswan 5.9.1, suricata 6.0.0, tzdata 2020d, usb_modeswitch 2.6.1, usb_modeswitch_data 20191128


  • Updated packages: amazon-ssm-agent 3.0.356.0, aws-cli 1.18.188, ghostscript 9.53.3, libseccomp 2.4.4, lynis 3.0.1, python-botocore 1.19.28, python-urllib3, spectre-meltdown-checker 0.44, transmission 3.00, vdr 2.4.4
  • Tor has been updated to version and is now using the new location database for showing the relay country. It is also now possible to define a list of exit nodes to use and to select certain countries to use for guard nodes.
  • amavis and spamassassin have been dropped because they have been unused and unmaintained for a long time
  • git has been fixed so that all features implemented in Perl can be used again.
  • The apcupsd package now correctly backups and restores its configuration

Please help us testing this upcoming release of IPFire to find any newly introduced bugs. If you find any, please report them to our bug tracker.

If you would like to help, but cannot help testing this release, you can help us with a donation.

It is time for another Core Update: IPFire 2.25 - Core Update 152. It comes with various smaller bug fixes and improvements and updates the Windows File Sharing Add-on.

IPFire is a small team of people from a range of backgrounds sharing one goal: make the Internet a safer place for everyone. Like many of our open source friends, we’ve taken a hit this year and would like to ask for your continued support. Please follow the link below where your donation can help fund our continued development:


  • Intrusion Prevention System: The IPS has been updated to suricata 5.0.4 which fixes various bugs and security vulnerabilities
  • Leo-Andres Hofman contributed for the first time and cleaned up code that shows the DHCP leases on the web user interface. They are now sorted and expired leases are shown at the bottom of the list for better usability.
  • Steffen Klammer fixed a bug which rendered an invalid proxy.pac configuration file when subnets where added in the CIDR notation
  • Values for average, minimum and maximum were swapped in the firewall hits graph which has been corrected in this release
  • Updated packages: knot 3.0.1, libhtp 0.94, python 2.7.18, python3 3.8.2, unbound 1.12.0, yaml 0.2.5


  • Updated packages: mtr 0.94, nano 5.3, tor
  • Updated Python 3 packages: botocore 1.16.1, colorama 0.4.3, dateutil 2.8.1, docutils 0.16, jmespath 0.9.5, pyasn1 0.4.8, rsa 4.0, s3transfer 0.3.3, six 1.14.0,

Windows File Sharing Services

Samba, has been updated to 4.13.0. Because of various reasons and lack of development time, we were stuck on Samba 3 which is unmaintained for a while. With this new version of Samba, new protocol features like SMB3 and encryption are supported. We have also rewritten large parts of the web user interface, made them tidier and fixed some usability issues.

We also dropped some features which we believe are not being used any more. This mainly concerns compatibility to MS-DOS clients, WINS, and using IPFire as Primary Domain Controller for Windows NT domains.

The new streamlines web user interface provides fewer controls and we have changed some defaults to work in modern networks - or that were ineffective in the newer release of Samba.

New features are as follows:

  • Printing with CUPS now works out of the box
  • SMB file transfers are faster, because of some performance tuning
  • IPFire will now always try to become the master browser for its workgroup
  • The file sharing and printing services will be announced to the local network using mDNS with Avahi
  • Extensions for Mac OS X are enabled by default

Because of the vast amount of changes, we need some extra help to find any regressions introduced here. Please also consider if running this package is following best-practise rules in your organization.

The upcoming Core Update is available for testing: It brings an updated kernel, various package updates and bug fixes.

Linux 4.14.198

The IPFire kernel is now based on Linux 4.14.198 which brings various security and stability fixes in the network stack as well as improvements throughout the whole rest of the kernel.

In connection with this, the new Location database has received some bug fixes. Formerly, some networks could not be found in the extracted part of the database which was loaded into the kernel. This has been fixed and there will be no more false-positives for selected countries.

Connection Tracking Graph

We have extended the monitoring features of IPFire which introduce a new graph with the size of the connection tracking table. It shows how many connections are open at the same time and helps to debug any networking issues or overload.

Connection Tracking Graph

In addition to that, the CPU graph has been fixed. An empty graph was rendered after the number of processor cores has changed.


  • Updated packages: clamav 0.103.0, htop 3.0.2, nano 5.2, postfix 3.5.7

Please help us testing

I would like to invite everyone to help us testing this release of IPFire to iron out any potentially newly introduced regressions. If you do not have the time, please send us a donation to help us making IPFire better.

We have been busy baking another large update for you which is full of oozy goodness. It includes an updated toolchain based on GCC 10 and glibc 2.32 and we have added a lot of tuning which makes IPFire 33% faster on some systems.

Toolchain Update

IPFire is based on glibc 2.32, the standard library for all C programs, and GCC 10.2, the GNU Compiler Collection. Both bring various bug fixes and improvements.

The most notable change is that we have decided to remove a mitigation Spectre 2 which caused that user space programs in IPFire were running about 50% slower due to using a microcode feature which is called "retpoline". Those "return trampolines" disable the branch prediction engine in out-of-order processors which was considered to help with mitigating leaking any information from any unaccessible kernel space.

This is however not as effective as thought and massively decreases performance in the user land which mainly affects features like our Intrusion Prevention System, Web Proxy and URL filter. We still use this mechanism to avoid leaking any kernel memory into the user space.

On top of that, we have updated various tools used for building IPFire as well as core libraries.

We have also enabled a new GCC feature called "stack clash protection" on x86_64 and aarch64 which adds additional checks to mitigate exploits and we have enabled "CF protection" which hardens all software against attackers gaining control over a program flow and circumventing security checks like password or signature validation.

BootHole, aka GRUB 2.04

As reported on the media, there were various security vulnerabilities in the GRUB boot loader which is used in IPFire on x86_64, i586 and aarch64. These have now been patched in IPFire and the new boot loader is installed automatically.

Intel Security Vulnerabilities & Virtual Machines

In May 2019, we have announced to disable SMT on all machines. This is now disabled for any virtual machines since the mitigation is required to be activated on the host system.

Emulated processors might run on multiple physical processors which IPFire in a virtual machine has no control over. However, we still recommend against running IPFire in a virtual environment.

Deprecating i586

This release also officially degrades the i586 architecture to a secondary architecture. On the download page, you will already find downloads for that architecture at the bottom of the page.

This is because various security mitigations are not available for i586 and development work on the Linux kernel and other software that IPFire relies on is mainly done for x86_64 or other modern 64 bit architectures. This is a development that we saw coming for a while now, and despite that we will try to keep IPFire available in this architecture.

We urge everyone who's hardware supports it to update their systems to x86_64. You will see a notification on the web user interface if you are affected.


  • OpenSSL: We have removed all ciphers that do not support Perfect Forward Secrecy from the default cipher list. That means that all programs in IPFire that initiate TLS connections will no longer accept any "weak" ciphers without PFS.
  • OpenVPN
    • In order to make IPFire compliant with PCI DSS, OpenVPN requires all clients to use TLS 1.2 or newer. This change is automatically enabled on all systems and very old clients might need to be updated. Please check if you are using any outdated clients before updating.
    • The maximum number of simultaneous OpenVPN connections can now be set to up to 1024 and was limited to 255 before.
  • New packages: zstd, a modern and fast compression algorithm is now part of IPFire
  • Updated packages: apache 2.4.46, bind 9.11.21, bison 3.7.1, curl 7.71.1, GRUB 2.04, intel-microcode 20200616, hyperscan 5.3.0, iproute2 5.8.0, kbd 2.2.0, logrotate 3.17.0, lsof 4.91, mpfr 4.1.0, popt 1.18, unbound 1.11.0, xfsprogs 5.7.0


  • Updated: clamav 0.102.4, dnsdist 1.5.0, haproxy 2.2.2, fping 5.0, libvirt 6.5.0, minicom 2.7.1, nfs 2.5.1, postfix 3.5.6, qemu 5.0.0, rsync 3.2.3, spandsp 0.0.6, tor, tshark 3.2.6, usbredir 0.8.0, watchdog 5.16, WIO
  • Marcel Follert has contributed a new package: socat, a CLI tool which can be used to communicate with UNIX sockets.

We ask everyone who can to install this update and report and feedback back to us. That way, you can help to make IPFire better and contribute to the community. If you cannot test, you can donate!

This is an update I have personally been waiting for a long time: We finally roll out replacing Maxmind's GeoIP database by our own improved implementation.

IPFire Location

As we have already pre-announced some time ago this side-project inside the IPFire Project is finally ready for prime time.

It comes with a new implementation to build, organise and access a highly optimised database packages with loads of helpful data for our firewall engines, as well as our analytics to analyse where attacks against the firewall are originating from.

With it, IPFire can block attackers from certain countries, or do the opposite - only permit access to certain servers from certain places. Combining rules with the rate-limiting feature allows to limit connections from certain locations which is very helpful for DoS attacks.

No new features have been added, but those that we had have been massively improved. The database is now being updated once a week which makes it more accurate and we no longer require complicated scripts to convert it into different formats to be used in different parts of the operating system.

Instead the database can be opened and ready extremely quickly which allows access in realtime making pages on the web user interface load significantly faster.

We hope that many other projects choose to use our implementation as well, since we have chosen a truly open license for the data as well as the library that works behind it.

I will talk more about this in a later blog post and explain to you the advantages of libloc.

Please help us testing!

In the meantime, please help us testing this important release and report any issues that you find to the development team to make it the best release of IPFire that we have ever had.

You can also support our work with your donation!

Hello everyone,

I hope everyone is making their way okay through this pandemic. In case you got bored, we have a brand new Core Update available for you for testing.
It introduces new metrics for OpenVPN and ships the largest number of package updates that we have ever had, fixing various bugs and carrying plenty of security-related fixes.

OpenVPN Metrics

OpenVPN will from now on collect metrics about connected clients. On an extra page, it will be shown which client has connected when and for how long it was connected.


  • The random number generator will be launched earlier in the boot process to see the kernel's pseudo-random number generator as soon as possible. On some systems, this could have blocked the boot process for a couple of minutes.
  • Firewall: Connections that are being NATed will now always be logged in the filter chain, too
  • vnstat, the tool behind the net traffic graphs on the IPFire web user interface has been updated to use a new database format and refreshes its graphs more often, for more detailed and accurate data
  • Pakfire correctly uses upstream proxies now
  • A vast amount of system libraries have been updated. They make the system faster, more robust, and more secure: automake 1.16.2, berkeley 5.3.28, bind 9.11.19, cmake 3.17.0, coreutils 8.32, hyperscan 5.2.1, iproute2 5.6.0, ipset 7.6, knot 2.9.4, libevent2 2.1.11-stable, libhtp 0.5.33, libjpeg 2.0.4, libpng 1.6.37, libseccomp 2.4.3, libusb 1.0.23, libwww-perl 6.43, netpbm 10.73.31, openldap 2.4.29, openvpn 2.4.9, suricata 5.0.3, unbound 1.10.1, vnstat 2.6
  • The translations have been improved by adding new phrases, fixing typos and removing unused translation strings.


Updated packages: borgbackup 1.1.11, clamav 0.102.3, faad2 2.8.8,
ffmpeg 4.4.2, fping 4.2, lame 3.100, libogg 1.3.4, libmpeg2 0.4.1, libshout 2.4.3, libtiff 4.1.0, libvorbis 1.3.6, motion 4.3.0, nano 4.9.2, opus 1.3.1, pcengines-apu-firmware, postfix 3.5.1, shairport-sync 3.3.6, sox 14.4.2, strace 5.5, taglib 1.11.1, tmux 3.1, tor, tshark 3.2.3, xvid 1.3.7

netatalk has been added as a new package. It provides file-sharing services for Apple devices.

WIO has been updated and shows the connection times for IPsec tunnels.

Less than 48 hours after releasing IPFire 2.25 - Core Update 143, we already have the next update ready for testing. It is full with fixes for security vulnerabilities in OpenSSL, the squid web proxy, the DHCP client and more.

OpenSSL 1.1.1g

The OpenSSL team has issued a security advisory for the 1.1.1 release with "high" severity.

Applicants on client or service side that call SSL_check_chain() during a TLSv1.3 handshake may crash the application due to incorrect handling of the signature_algorithms_cert" TLS extension.

CVE-2020-1967 has been assigned to track this vulnerability and an immediate installation of this update is recommended.

The DHCP Client (#12354)

Some users using RED in DHCP mode might have seen various crashes of the client. This happened because of attackers sending forged DHCP replies from cloud-hosted networks across the Internet.

After the daemon crashed, the firewall would lose Internet connectivity until it is manually restarted.

Providers normally filter forged DHCP traffic, but some do not seem to do this correctly. We are in touch with them and try to find a solution.

The Squid Web Proxy

The web proxy is vulnerable to cross-site scripting attacks, cache poisoning and access control bypass when processing HTTP request messages.

These problems are known as SQUID-2020:4, SQUID-2019:12, SQUID-2019:4, CVE-2020-11945, CVE-2019-12519, CVE-2019-12521, CVE-2019-12520, CVE-2019-12524 and #12386.


  • Updated packages: apache 2.4.43, bind 9.11.18, dhcpcd 9.0.2, squid 4.11
  • The build system has changed the Go compiler from GCCGO to Golang which seems to be introducing fewer bugs into compiled programs

Please help us testing this release, so that we can make it available for all users as soon as possible. Report any feedback to our bugtracker and you can of course support the IPFire Project with your donation.

With the latest release - IPFire 2.25 - Core Update 142, we have added an easy way how to join developers testing IPFire. This is incredibly important for us in order to deliver the best releases of IPFire again and again without any regressions.

How does a release cycle work?

We maintain three different branches of IPFire. There is of course the stable release tree which most people are using. It is ready for production and best-tested.

For development, there are two more branches:

  • Everything that a developer does is going to the development mailing list. Patches are reviewed and fixed there and then selected by Arne for going into the next release. That process is important to only select patches that have been seen by enough people and pair them together to bake a nice update. This tree is called unstable and everything in there is literally that. Developers have tested the code, but it has not been tested by a wider audience.
  • The testing tree is for our power users who want to use and test the latest features that are going to land in IPFire. You will find a Core Update in there after it has been announced on the blog. Things have been tested by some people in small test environments and they are ready to be tested by more people.

Finally, this update will go into stable.

How can I participate?

Formerly it was necessary to edit a configuration file to participate in any of these testing efforts. That is of course not very user-friendly and therefore we have added a simpler way:

On the web user interface, you can now head to IPFire -> Pakfire and select at the bottom which version you want to use. After clicking "Save", you will see the list of all packages and Core Updates that are available and can of course install them with one click.

It could not be more simple.

Please join us testing

We have recently been releasing Core Updates that were very large and delivered many new features at the same time as updating a lot of software under the hood. It requires a lot of feedback from testers so that we can be sure that we have not introduced any regressions or other new bugs.

We currently have so many new features that are developed, but still not ready for release. In order to get rid of that backlog, we are trying to increase the number of Core Updates. Please help us with that effort, install a pre-release update or packages and report any bugs that you find.

IPFire 2.25 - Core Update 143 has just been made available for testing. Try it out :)

The next update is ready for testing. It contains a large number of updated packages in the build system and updates many important system libraries. Among all those updates are many bug fixes and some security fixes.


The toolchain - all tools to build the distribution like compilers, linkers and essential system libraries - have been updated and are now based on glibc 2.31, GCC 9.3.0, binutils 2.34.

The build system has also been optimised to take advantage of machines that have a lot of memory and uses less I/O resources by not writing any large temporary files to disk any more when this can be avoided.

Intrusion Prevention System

The Intrusion Prevention System has received many smaller fixes to make it run faster, generate fewer false-positives and of course more secure.

  • The DNS flood trigger has been disabled, since it was causing loads of false positives. This will lead to more solid DNS resolution on busy systems when the IPS is enabled with rules matching DNS flooding events.
  • All HTTP proxy from and to the web proxy is now being processed by the HTTP preprocessor, too.
  • Additional firewall rules have been added to work around a Linux kernel bug when packets that were destined to go through an IPsec VPN tunnel could break out unencrypted on the RED interface when the IPS has crashed unexpectedly.


  • IPsec: The IKE lifetime can now be set to up to 24 hours again
  • OpenVPN: Net-to-Net connections will now be properly stopped when they are being deleted & all RRD files will be deleted, too
  • DNS: Some hostnames configured on the "Edit Hosts" page might not have been made public in unbound. This has now been fixed and unbound will search any local entries before using the global DNS.
  • The kernel has been hardened against unauthorised access to files that were symlinked or hardlinked.
  • The boot process could lock up for several minutes on some systems when searching for sensors. This scan is now being done in the background so it will no longer affect the boot process.
  • The IPFire-internal mail agent has now support for implicit TLS.
  • The Net Traffic page did not show any recent data on some systems. This is now being fixed.
  • Many strings in the German translation have been improved and unified for better clarity.
  • Updated packages: bind 9.11.17, cairo 1.16.0, coreutils 8.31, dhcp 4.4.2, dma 0.12, libtool 2.4.6, logwatch 7.5.3, ncurses 6.2, ntp 4.2.8p14, openssh 8.2p1, openssl 1.1.1f, smartmontools 7.1, strongswan 5.8.4, unbound 1.10.0, xz 5.2.5



The Bluetooth add-ons has been dropped because there is no application for it in IPFire. Wireless modems could be used before, but since this is not widely used, we have decided to drop the add-on.


  • amazon-ssm-agent 2.3.930.0, keepalived 2.0.20, libssh 0.9.3, nano 4.9, nginx 1.17.8, postfix 3.5.0, pcengines-apu-firmware, spectre-meltdown-checker 0.43, tor, tshark 3.2.2

Only days after finally releasing our new DNS stack in IPFire 2.25 - Core Update 141, we are ready to publish the next update for testing: IPFire 2.25 - Core Update 142.

This update comes with many features that massively improve the security and hardening of the IPFire operating system. We have also removed some more components of the systems that are no longer needed to shrink the size of the operating system on disk.

We have a huge backlog of changes that are ready for testing in a wider audience. Hopefully we will be able to deliver those to you in a swift series of Core Updates. Please help us testing, or if you prefer, send us a donation so that we can keep working on these things.

Kernel Hardening

This update brings a new kernel which is based on Linux 4.14.171.

For the first time, we have enabled kernel module signing which cryptographically prevents foreign modules from being loaded into the IPFire kernel. An attacker who is trying to load and install a rootkit will have no chance to activate it on the system any more.

This is a huge improvement to the system when attackers have gained control of it through any other security vulnerabilities. More on this in a later blog post.

Support for Marvel's Kirkwood ARM architecture has been removed in this release, since it is unmaintained upstream and there are no users in fireinfo using this any more.

Suricata 5 - Our Intrusion Prevention System

suricata, the Intrusion Prevention System working inside of IPFire has been updated to version 5.0.2.

This release fixes a number of bugs in our IPS, increases performance and brings three new protocol parsers for RDP, SNMP and SIP. The protocol detection engine has been extended to provide better accuracy.

This release also introduces using Rust, which has recently been added to IPFire. Protocol parsers written in Rust can - by design of the language - not have any stack buffer overflows or other memory corruption problems like some C programs do. Therefore, this release makes it easier for the maintainers to extend the IPS at the same time as making it more robust and secure.

Making Testing Easier

This release introduces a new configuration option for Pakfire. Users can now choose between the stable, and two testing branches to easier install unreleased builds.

We hope that this helping you to help us testing IPFire better and therefore be able to give us more valuable feedback on releases.


  • pppd, the Point-to-Point protocol daemon which is used for DSL and LTE connections has a severe vulnerability which allowed Remote Code execution on the client and server side. It has also been updated to version 2.4.8 which fixes some more bugs.
  • Password for proxy users were limited to eight characters due to an old hash algorithm being used. This has now been upgraded and passwords of unlimited length can be used.
  • The squid web proxy has been updated to version 4.10 which closes a number of security vulnerabilities
  • ddns, our suite for dynamic DNS updates, has been updated to version 013. This release ports the software to Python 3 since support for Python 2 is deprecated now.
  • Wireless Access Point devices are now properly added to a network bridge at boot time
  • Some smaller aesthetic fixes for the new DNS Configuration page



  • clamav has been updated 0.102.2 which closes a number of security vulnerabilities
  • dehydrated has been fixed to properly conduct a backup and restore when it is being updated
  • guardian has received fixes for its HTTP log parser
  • haproxy has been updated to 2.1.3 and support for Lua has been enabled
  • libpciaccess has been updated to 0.16. This library is used to pass PCI devices through to a virtual machine.
  • The qemu package has been stripped from any firmware blobs for architectures that cannot be used on IPFire in order to save disk space on the root partition.
  • Further package updates: dnsdist 1.4.0, mc 4.8.24, tmux 3.0a, tor, vdr 2.4.1, vdradmin 3.6.10, w_scan 20170107

Cleaned-up Packages

We have removed a number of packages that have been abandoned by the people who maintain them. We believe that it is better to not offer them instead of exposing your systems to any security risks:

  • arm a CLI monitoring tool for tor
  • batctl, to configure B.A.T.M.A.N., which unfortunately was never finished in IPFire
  • cyrus-imapd - An IMAP/POP daemon
  • multicat & bitstream: Two tools to capture and decode multimedia streams over a network. Has been submitted to IPFire but was sadly never updated by the maintainer.
  • check_mk_agent - A monitoring tool
  • DirectFB - Graphics drivers
  • ez-ipupdate - A tool for dynamic DNS updates, which is unused, because we have ddns
  • icecast, icecastgenerator & streamripper - A media relay for radio streams
  • setserial - A tool to manage serial connections on console
  • rtpproxy - A relay for RTP streams

We currently have very limited development resources and would prefer investing those on things where more people benefit from. Please donate to support us!

The first exciting big update of the year is ready for testing: IPFire 2.25 - Core Update 141! It comes with a totally reworked DNS system which adds many new features like DNS-over-TLS. On top of that, this update fixes many bugs.

DNS Updates

The biggest set of changes in this release is around DNS. We have cleaned up many scripts and the UI which allowed us to add new functionality:

  • A unified page with all DNS settings
  • More than two DNS servers can be added for better load-balancing and resiliency. The fastest servers will be used automatically.
  • Enhanced privacy with DNS-over-TLS and strict QNAME minimisation
  • Safe Search, to filter adult content from the entire network without using the web proxy
  • Better workarounds for users with ISPs that filter DNS responses/break DNSSEC. TLS and TCP can be used as transport instead.
  • Faster boot because of fewer checks being executed at boot time

In order to combat MTU issues, we are following guidelines and have set the EDNS buffer size to 1232 bytes. This avoids large DNS replies being fragmented even on Internet lines with smaller MTUs.

All DNS settings will automatically be converted. This is also compatible when older backups are being restored.

Updates Under The Hood

IPFire is a modern distribution as we change and update many essential system components regularly. That allows us to keep you safe, support new features and of course be fast by taking advantage of modern hardware.

In this update, we have rebased the system on GCC 9 and added support for Go and Rust. We have included Python 3 to the base system and deprecated Python 2 which is out of support by now. Not everything has been converted to use Python 3 yet, but we will hopefully soon be able to drop support for Python 2 altogether.

Unfortunately the system is growing larger and larger with every update. Software in general is quite bloated although we are trying our best to keep IPFire as small as possible. On systems that have a 2GB root partition and many add-ons installed, disk space might be running out. This update clears a lot of files that are no longer needed. We have also improved stripping our binary files from debugging symbols which are not needed on a production system in order to keep those files smaller.

  • elinks, the text-based browser is also no longer an add-on any more, but shipped with the core system.
  • LVM devices are now supported in IPFire.
  • Updated packages: efivar 35, gcc 9.2.0, file 5.38, knot 2.9.2, libhtp 0.5.32, mdadm 4.1, mpc 1.1.0, mpfr 4.0.2, rust 1.39, suricata 4.1.6. unbound 1.9.6
  • New packages: rfkill


  • The Intrusion Prevention System now filters packets from and to OpenVPN clients, too
  • Pakfire initially used HTTP for downloading the first mirror list. It would have been redirected to HTTPS by the server, but this has been now changed that the first connection attempt is using HTTPS.
  • As announced in a separate blog post, we are shipping the latest version of Maxmind's GeoIP database
  • IPsec: To enhance compatibility with many clients, newly generated root certificates will include a valid Subject Alternative Name which can also be freely configured


  • Updated: dehydrated 0.6.5, libseccomp 2.4.2, nano 4.7, openvmtools 11.0.0, tor, tshark 3.0.7
  • New: amazon-ssm-agent for better integration into the Amazon cloud

Please help us testing this update to even find the smallest bugs and deliver the best version of IPFire that we possibly can. You can also support us with donating and supporting everyone who has been working on this update!

Hello everyone,

the last Core Update for this decade is finally available for testing! If you have a couple of hours free over the holidays, please help us out by installing it and sending us your feedback!

Improved Booting & Reconnecting

Dialup scripts have been cleaned up to avoid any unnecessary delays after the system has been handed a DHCP lease from the Internet Service Provider. This allows the system to reconnect quicker after loss of the Internet connection and booting up and connecting to the Internet is quicker, too.

Improvements to the Intrusion Prevention System

Various smaller bug fixes have been applied in this Core Update which makes our IPS a little bit better with every release. To take advantage of deeper analysis of DNS packets, the IPS is now informed about which DNS servers are being used by the system.


IPFire is configured as securely as possible. At the same time we focus on performance, too. For connections to the web user interface, we do not allow using CBC any more. This cipher mode is begin to crack and the more robust GCM is available.

Whenever an SSL/TLS connection is being established to the firewall, we used to prefer ChaCha20/Poly1305 as a cipher. Since AESNI is becoming and more and more popular even on smaller hardware, it makes sense to prefer AES. A vast majority of client systems support this as well which will allow to communicate faster with IPFire systems and save battery power.


  • The microcode for Intel processors has been updated again to mitigate vulnerabilities from the last Core Update
  • PC Engines APU LEDs are now controlled using the ACPI subsystem which is made possible using the latest BIOS version
  • Captive Portal: Expired clients are now automatically removed
  • Dynamic DNS: Support for has been fixed in ddns 12
  • Updated packages: Python 2.7.17, bash 5.0, bind 9.11.13, cpio 2.13, libarchive 3.4.0, logwatch 7.5.2, lz4 1.9.2, openvpn 2.4.8, openssh 8.1p1, readline 8.0 (and compat version 6.3), squid 4.9, unbound 1.9.5


  • clamav has been updated to 0.102.1 which include various security fixes
  • libvirt has been updated to version 5.6.0 for various bug fixes or feature enhancements and support for LVM has been enabled.
  • qemu has been updated to 4.1.0
  • Various others: nano 4.6, postfix 3.4.8, spectre-meltdown-checker 0.42

IPFire 2.23 - Core Update 138 is available for testing

by Michael Tremer, November 16, 2019, Updated November 17, 2019

Just with the release of IPFire 2.23 - Core Update 137, we are making the next update available to address and mitigate recently announced vulnerabilities in Intel processors.

Intel Vulnerabilities

Intel has blessed us again with a variety of hardware vulnerabilities which need to be mitigated in software. Unfortunately those will further decrease the performance of your IPFire systems due to changes in Intel's microcodes which are also shipped with this Core Update.

If you would like to learn more about these vulnerabilities, please look here, here, here, and here.

We recommend to install this update as quickly as possible to prevent your system from being exploited through these vulnerabilities. A reboot is required to activate the changes.

A little bit behind schedule, we are happy to announce the upcoming release of IPFire 2.23 - Core Update 137. It comes with an updated kernel, a reworked Quality of Service and various bug and security fixes.

Development around the Quality of Service and tackling some of the bugs required an exceptional amount of team effort in very short time and I am very happy that we are now able to deliver the result to you to improve your networks. Please help us to keep these things coming to you with your donation!

An improved and faster QoS

As explained in detail in a separate blog post from the engine room, we have been working hard on improving our Quality of Service (QoS).

It allows to pass a lot more traffic on smaller systems as well as reduces packet latency on faster ones to create a more responsive and faster network.

To take full advantage of these changes, we recommend to reboot the system after installing the update.

Linux 4.14.150

The IPFire Kernel has been rebased on Linux 4.14.150 and equipped with our usual hardening and other patches.

The kernel has been tuned to deliver more throughput for IP connections as well as reducing latency to a minimum to keep your network as responsive and fast as possible.

An especially nasty bug that caused the system to drop DNS packets when the Intrusion Detection System was enabled has been tracked down by a large group of IPFire developers and additional help of the suricata team.


  • Downloaded GeoIP databases were not always cleaned up from /tmp when a download was unsuccessful. This can cause that the script is filling up the root partition. You can reboot your system to free up space if this has happened to you, too. The script has now been cleaned up, and catches any errors to cleanup afterwards.
  • IPsec now supports Curve 448 with 224 bit of security. It is a lightweight and slightly faster alternative to Curve25519 and enabled by default for new connections.
  • Tim Fitzgeorge contributed a patch that restarts the syslog daemon after a backup is being restored to close old log files and write to the restored ones
  • /var/log/mail is now being rotated
  • Updated packages: bind 9.11.12, iptables 1.8.3, iproute2 5.3.0, knot 2.8.4, libhtp 0.5.30, libnetfilter_queue 1.0.4, libpcap 1.9.1, libssh 0.9.0, Net-SSLeay 1.88, pcre 8.43, strongswan 5.8.1, suricata 4.1.5, tzdata 2019c, unbound 1.9.4, wpa_supplicant 2.9


New: speedtest-cli

This is a handy tool to perform a regular speedtest on the console. It was packaged to test the QoS but is handy to test throughput of the firewall to and from the Internet on the console.

Updated Packages

  • bird 2.0.6 now supports RPKI validation by connecting to a process that holds the key material either via TCP or using SSH
  • sane has been updated to version 1.0.28 and now supports more hardware
  • A French translation is now available for the Who is Online? add-on
  • Others: clamav 0.102.0, hostapd 2.9, ipset 7.3, mtr 0.93, nano 4.5, ncat 7.80, nmap 7.80, shairport-sync 3.3.2, tcpdump 4.9.3, tor, tshark 3.0.5

IPFire 2.23 - Core Update 136 is available for testing

by Arne Fitzenreiter, September 15, 2019, Updated September 15, 2019

Dear community,

the summer has been a quiet time for us with a little relaxation, but also some shifted focus on our infrastructure and other things. But now we are back with a large update which is packed with important new features and fixes.

OpenSSL 1.1.1d

This update ships the latest update of the OpenSSL library which has received some important fixes in its latest release:

  • CVE-2019-1547: With custom elliptic curves, timing attacks were made possible again. This is of very low risk in IPFire, since we are not using any custom curves.
  • CVE-2019-1549: Forked processes could have shared the same seed for their random number generator which is being fixed in this one by mixing in a high precision timer.
  • CVE-2019-1563: Another padding oracle for large PKCS7 messages

All of these are classified as "low severity". However, we recommend to install this update as soon as possible.

Perl 5.30

Arne has been busy and been working on replacing Perl with the latest stable version. This requires that loads of applications that use Perl - like our own web user interface - have to be shipped again as well as many add-ons. Hence this update is rather large.


Since Maxmind is no longer publishing their GeoIP database in the original format, but unfortunately not providing any good bindings for the new release, we have only had an outdated version of the database that we made available in IPFire.

There is now a script that converts the current data into the old format which allows us to ship a recent database again.

This database is however only being used for showing the country flags on the web UI. GeoIP blocking uses a database in a different format and therefore always has recent data to only block the right things.


  • The firewall has a limit for log messages so that flooding the firewall with packets won't cause a Denial-of-Service by filling up the hard drive with gigabytes of logs and also to not starve on write operations. This limit was however very low for modern standards and has therefore been increased to 10 logged packets per second. That will ensure that we won't drop a packet without logging it.
  • Updated packages: apache 2.4.41, bind 9.11.10, clamav 0.101.4, dhcpcd 8.0.3, knot 2.8.3, logrotate 3.5.1, openssh 8.0p1, patch 2.7.6, texinfo 6.6, unbound 1.9.3, usb_modeswitch 1.5.2
  • logwatch and logrotate could conflict when running at the same time. This has been changed so only one of them is running at the same time.
  • Log messages for DMA, the IPFire mailer, and Postfix are now shown on the web UI
  • The toolchain now ships a compiler for Go


  • Updated packages: freeradius 3.0.19, haproxy 2.0.5, postfix 3.4.6, spamassassin 3.4.2, zabbix_agent 4.2.6
  • dnsdist has had its limit of open connections increased to work better in bigger environments
  • tor: A permission problem has been fixed so that the web UI can save settings again
  • wio: The RRD files will now be included in the backup as well as various UI improvements have been done

Please reboot!

This update needs a reboot of your IPFire system.

Please join in to help us testing and make this another successful and bug-free release of IPFire. Please report any bugs to Bugzilla and if you cannot spare any of your time, you can of course help us out with your donation.


after a little break with many things to fight, we are back with a brand new Core Update which is packed with various bug fixes and cleanup of a lot of code.

Kernel Update

The IPFire Linux kernel has been rebased on 4.14.138 and various improvements have been added. Most notably, this kernel - once again - fixes CPU vulnerabilities.


  • On x86_64, the effectiveness of KASLR has been improved which prevents attackers from executing exploits or injecting code
  • DNS: unbound has been improved so that it will take much less time to start up in case a DNS server is unavailable.
  • Scripts that boot up IPFire have been improved, rewritten and cleaned up for a faster boot and they now handle some error cases better
  • Updated packages: dhcpcd 7.2.3, nettle 3.5.1, squid 4.8, tzdata 2019b


Updated Packages

  • bird 2.0.4
  • clamav 0.101.3
  • iperf 2.0.13
  • iperf3 3.7
  • mc 4.8.23
  • pcengines-firmware

Just one day after we have released IPFire 2.23 - Core Update 133, we are testing the next one which contains fixes for the famous SACK vulnerability.

SACK Panic (CVE-2019-11477 & CVE-2019-11478)

The Linux kernel was vulnerable for two DoS attacks against its TCP stack. The first one made it possible for a remote attacker to panic the kernel and a second one could trick the system into transmitting very small packets so that a data transfer would have used the whole bandwidth but filled mainly with packet overhead.

The IPFire kernel is now based on Linux 4.14.129, which fixes this vulnerability and fixes various other bugs.

The microcode for some Intel processors has also been updated and includes fixes for some vulnerabilities of the Spectre/Meltdown class for some Intel Xeon processors.


  • Package updates: bind 9.11.8, unbound 1.9.2, vim 8.1
  • The French translation has been updated by Stéphane Pautrel and translates various strings as well as improving some others
  • We now prefer other cipher modes over CBC when IPFire itself opens a TLS connection. CBC is now considered to be substantially weaker than GCM.
  • Email addresses entered in the web UI can now contain underscores.
  • The Captive Portal now comes up properly after IPFire is being rebooted.


it is time for the next Core Update. Number 133!

To help us keeping those coming and to support our developers, please donate now!

Toolchain Updates

This update brings many updates on the core libraries of the system. Various changes to our build system are also helping us to build a more modern distribution, faster. The toolchain is now based on GCC 8.3.0, binutils 2.32 and glibc 2.29 which bring various bugfixes, performance improvements and some new features.

Although these might not be the most exciting changes, we recommend upgrading as soon as possible since this is essential hardening for backbone components of the user-space.

Disabling SMT - Intel's Security Issues

Disabling SMT has also been fine-tuned. It is now also being disabled on systems that are vulnerable to "Foreshadow". Probably all processors that are vulnerable to MDS are vulnerable to Foreshadow, too, so this won't affect many systems, but it is more correct to do so.

Increasing throughput of the new Intrusion Prevention System

As announced before, we were working on increasing the throughput of the IPS. This is being shipped now with this update and integrates a library from Intel which is optimised to perform pattern matching very fast on huge data sets. Its name is hyperscan.

This library comes in multiple versions which are all shipped at the same time and is being compiled with support for various CPU instructions which are enabled when the hardware supports them. Those are for example AVX2, AVX and of course all of the SSE series.

By utilising those optimised instructions, the processor can process more data by executing only one instruction which is a lot faster. We are soon going to release benchmarks, but first tests have shown that larger systems are benefitting hugely from this and even some smaller embedded processors gain slightly.

This feature is automatically configured and will always be enabled when supported.

Another change on the IPS is coming from Tim Fitzgeorge who investigated that the IPS was occasionally dropping some packets which it was not meant to without logging. The rule generation was patched accordingly so that won't happen any more and rules will automatically updated when installing this Core Update.


  • A long-standing bug in adding fixed DHCP leases has been fixed. Those are now saved right away on the first click, but it is possible to edit the entry.
  • An incorrect list of cipher suites was generated for IPsec connections when PFS was disabled. This updates fixes that and updates all connections with the correct settings.
  • ddns: Some new provides have been added
  • Package updates: bind 9.11.7, jansson 2.12, knot 2.8.2, linux-pam 1.3.1, monit 5.25.3, openssl 1.1.1.c, rrdtool 1.7.2, squid 4.7, strongswan 5.8.0, wpa_supplicant 2.8


New Packages

  • tshark A CLI version of Wireshark which is like tcpdump, but has better support for decoding captured packets.

Updated Packages

  • hostapd has been updated to version 2.8 which fixes various security vulnerabilities and other bugs
  • tor: some bugs that didn't allow the service to start after the last update have been fixed
  • wio: A problem which caused the IPFire system to unexpectedly shut down has been solved
  • miau, an IRC bouncer, which was unmaintained since 2010 has been dropped


less than a week after the release of the new Intrusion Prevention System was released, and here we are with a packed new update: It contains security fixes for the latest vulnerabilities in Intel processors and ...

Intel Vulnerabilities: RIDL, Fallout & ZombieLoad

Two new types of vulnerabilities have been found in Intel processors. They cannot be fixed unless the hardware is changed, but can be somewhat mitigated through some changes in the Linux kernel (4.14.120) and an update microcode (version 20190514). Both is shipped in this release.

Additionally, to mitigate this bug which cannot be fixed at all, SMT is disabled by default on all affected processors which has significant performance impacts.

Please note, that Intel unfortunately is not releasing microcode for all processors any more and so you might still be vulnerable.

To apply the fixes, please reboot your system.

VLAN Configuration

Florian Bührle has contributed a UI to configure VLAN interfaces for zones. This way, it can be done graphically and the system needs to be rebooted to apply the changes.

The GUI also allows to set up a zone in bridge mode which is helpful for advanced users who need some custom configuration.


This update also contains a number of various bug fixes:

  • The new IPS now starts on systems with more than 16 CPU cores
  • For improved security of the web UI, the web service now prefers ciphers in GCM mode over CBC. This is because CBC seems to be weakened by new attack vectors.
  • OpenVPN has received some changes to the UI and improvements of its security.
  • Alexander Koch sent in some changes around the wpad.dat handling: It is now possible to define a list of exceptions to this file on the web UI and all VPN networks are included by default.
  • Captive Portal: A stored cross-site scripting vulnerability has been fixed in the argument handling of the title; an uploaded logo file can now be deleted
  • The same type of stored cross-site scripting attack was resolved in the static routing UI
  • Log entries for Suricata now properly show up in the system log section
  • Updated packages (all from Matthias Fischer): bind 9.11.6-P1, dhcpcd 7.2.2, knot 2.8.1, libedit 20190324-3.1


Wireless AP

The wireless AP add-on has received some new features:

  • For hardware that supports it, Automatic Channel Selection can be enabled, which scans the environment and automatically selects the best channel for the wireless access point. When it is activated, 80 MHz channel bandwidth will be enabled for 802.11ac networks doubling throughput.
  • DFS is supported (on hardware that supports it, too) which is needed to use higher channels in the 5 GHz spectrum
  • Management Frame Protection can optionally be enabled to encrypt messages between the station and the access point. This prevents a rogue attacker to deauthenticate stations from the wireless LAN or other denial-of-service attacks.


  • igmpproxy 0.2.1, tor, zabbix_agentd 4.2.1
  • Qemu is now being hardened with libseccomp which is a "syscall firewall". It limits what actions a virtual machine can perform and is enabled by default

Hello fellow testers,

I would like to let you know that we have updated the latest Core Update in the testing branch. Some bugs have been found and fixed because of the help of you, but now you need to make sure that they are also fixed on your systems.

If you have installed the update before, please run these commands:

echo 130 > /opt/pakfire/db/core/mine
pakfire update --force
pakfire upgrade

This will re-install the update on your machine and get you the latest fixes.

Finally, the next major version of IPFire is ready to testing. We consider our new Intrusion Prevention System such an important change, that we are calling it "IPFire 2.23" from now on. This update also contains a number of other bug fixes and enhancements.

A New Intrusion Prevention System

We are finally shipping our recently announced IPS - making all of your networks more secure by deeply inspecting packets and trying to identify threats.

This new system has many advantages over the old one in terms of performance, security and it simply put - more modern. We would like to thank the team at Suricata on which it is based for their hard work and for creating such an important tool that is now working inside of IPFire.

We have put together some documentation on how to set up the IPS, what rulesets are supported and what hardware resources you will need. Please feel free to extend it wherever you can help out.

Migration from Snort

Your settings will automatically be converted if you are using the existing IDS and replicated with the new IPS. However, you will need to select the ruleset and rules that you want to use again, since those cannot be migrated.

Please note that the automatic migration will enable the new IPS, but in monitoring mode only. This is that we won't break any existing configurations. Please disable the monitoring mode if you want the IPS to filter packets, too.

If you restore an old backup, the IDS settings won't be converted.

The guardian add-on is no longer required any more for the IDS to work but still provides means against SSH brute-force attacks and brute-force attacks against the IPFire Web UI.

OS Updates

This release rebases the IPFire kernel on 4.14.113 which brings various bug and security fixes. We have disabled some debugging functionality that we no longer need which will give all IPFire systems a small performance boost.

The wireless regulatory database has also been updated.

Updated packages: gnutls, lua 5.3.5, nettle 3.4.1, ntp 4.2.8p13, rrdtool 1.7.1, unbound 1.9.1


  • SSH Agent Forwarding: This can now be enabled on the IPFire SSH service which allows administrators to connect to the firewall and use SSH Agent authentication when using the IPFire as a bastion host and connecting onwards to an internal server.
  • When multiple hosts are created to overwrite the local DNS zone, a PTR record was automatically created too. Sometimes hosts might have multiple names which makes it desirable to not create a PTR record for an alias which can now be done with an additional checkbox.
  • A bug in the firewall UI has been fixed which caused that the rule configuration page could not be rendered when the GeoIP database has not been downloaded, yet. This was an issue when a system was configured, but never connected to the internet before.
  • On systems with a vast number of DHCP leases, the script that imports them into the DNS system has been optimised to make sure that they are imported faster and that at no time a half-written file is available on disk which lead unbound to crash under certain circumstances.
  • Some minor UI issues on the IPsec VPN pages have been fixed: On editing existing connections, the MTU field is now filled with the default;
  • We are no longer trying to search for any temperature sensors on AWS. This caused a large number of error messages in the system log.


  • Package updates: borgbackup 1.1.9, dnsdist 1.3.3, freeradius 4.0.18, nginx 1.15.9, postfix 3.4.5, zabbix_agentd 4.2.0
  • tor has received an extra firewall chain for custom rules to control outgoing traffic (TOR_OUTPUT). This allows to create rules for traffic that originates from the local tor relay. The service is also running as an own user now.
  • Wireless Access Point: It is now possible to enable client isolation so that wireless clients won't be able to communicate with each other through the access point.

New Packages

  • flashrom - A tool to update firmware

Just a couple of days after the release of IPFire 2.21 - Core Update 130, the next release is available for testing. This is an emergency update with various bug fixes and a large number of security fixes.


IPFire 2.21 - Core Update 130 contains security updates for the following packages:

  • Apache 2.4.39: The Apache Web Server, which runs the IPFire Web User Interface, was vulnerable for various privilege escalations (CVE-2019-0211), access control bypasses (CVE-2019-0215, CVE-2019-0217), DoS attacks (CVE-2019-0197), buffer overflow (CVE-2019-0196) and a URL normalisation inconsistency (CVE-2019-0220). They are all regarded to be of "low" severity.
  • wget 1.20.3: wget has had multiple vulnerabilities that allowed an attacker to execute arbitrary code (CVE-2019-5953).
  • clamav 0.101.2: ClamAV, the virus scanner, has had multiple vulnerabilities that allowed DoS and a buffer overflow in a bundled third-party library.

Although some of these vulnerabilities are only of low severity, we recommend to install this update as soon as possible!

IPsec Regression

The last update introduced a regression in the IPsec stack that caused that the firewall could no longer access any hosts on the remote side when the tunnel was run in tunnel mode without any VTI/GRE interfaces. This update fixes that.

This update is available in testing and we are planning to make it generally available early next week.

The next release is available for testing - presumably going to be last release in the 2.21 series before we bring some bigger changes. This update has a huge number and significant changes for IPsec as well as many updates to the core system and various smaller bug fixes.

IPsec Reloaded

IPsec has been massively extended. Although IPsec in IPFire is already quite versatile and delivered high performance, some features for experts were required and are now available through the web UI:

  • Routed VPNs with GRE & VTI
  • Transport Mode for net-to-net tunnels
  • IPsec connections can now originate from any public IP address of the IPFire installation. This can be selected on a per-connection basis.

The code has also been cleaned up the UI has been made a little bit tidier to accommodate for the new settings.

Smaller changes include:

  • The "On-Demand" mode is finally the default setting. Tunnels will shut down when they are not used and they will be established again when they are required.


  • DHCP: A crash has been fixed when filenames containing a slash have been entered for PXE boot.
  • DHCP: Editing static leases has been fixed
  • Domains in the "DNS Forwarding" section can now be disabled for DNSSEC validation. This is a dangerous change, but has been requested by many users.
  • Updated packages: bind 9.11.6, groff 1.22.4, ipset 7.1, iptables 1.8.2, less 530, libgcrypt 1.8.4, openssl 1.1.1b, openvpn 2.4.7, squid 4.6, tar 1.32, unbound 1.9.0, wpa_supplicant 2.7
  • New commands: kdig 2.8.0
  • The build system has been optimised to reduce build time of the whole distribution to around 4-5 hours on a fast machine.


  • Alexander Koch has contributed zabbix_agentd which is the agent that is installed on the monitored machine. With this, IPFire can now be integrated into an environment that is monitored by Zabbix.
  • On that note, the SNMP daemon has also been updated to version 5.8 for people who use the SNMP protocol for monitoring.
  • tor has been updated to and some minor bugs have been fixed in the web user interface
  • The spectre-meltdown-checker script is available as an add-on which allows IPFire users to test their hardware for vulnerabilities
  • Other updates: amavisd 2.11.1, hostapd 2.7, postfix 3.4.3

To help testing, you can download the installation images from here.

IPFire 2.21 - Core Update 128 is ready for testing

by Michael Tremer, February 26, 2019, Updated February 26, 2019

Hello community,

we have a great bunch of updates lined up for you with some great features that will improve IPFire's IPsec VPN capabilities and a huge make-over for our Intrusion Prevention System. But before that, we have another maintenance update with a new kernel, introducing TLS 1.3 throughout the whole system and of course a whole package of bug fixes and other improvements.

Thanks to everyone who has contributed to this Core Update with either sending in patches, testing, reporting bugs and many many other things. I am quite happy to see the team grow slowly and surely!

Kernel Update

The Linux kernel, the core of the IPFire operating system, has been updated to the latest release of the 4.14 branch. We have added some extra patches to improve hardware support and fix some security vulnerabilities. LEDs of PCengines' APU boards are now supported on newer versions of the mainboard and on those boards, the serial console is always enabled. On x86-based systems, we now support up to 64 processors.

OpenSSL 1.1.1 & TLS 1.3

We have also updated the main TLS/SSL library to OpenSSL in version 1.1.1. This adds support for TLS 1.3 and of course brings various other improvements with it. On browsers that support it, the IPFire web user interface is now available over TLS 1.3 and any outgoing SSL connection from the firewall supports it, too. We ensure that those connections only use secure and performant ciphers to make connections as fast as they can be.

We have also updated the list of trusted Certificate Authorities (CAs).

We have removed any previous versions of OpenSSL from the system which will soon be end-of-life. If you have anything custom that you have compiled yourself on your system, please be aware of that and note that you might potentially rebuild your custom software.

Add-ons provided by the IPFire Project now support TLS 1.3 as well. If you are running a custom configuration for postfix or haproxy make sure that TLS 1.3 is not excluded from the supported TLS protocols.

Performance Tuning

The system is now configured to be able to route more packets. During some benchmarks and testing we have discovered that IPFire does not always use the full performance of the hardware underneath it. While most system probably won't benefit much from these improvements, some systems with very fast processor cores will see a 5-10% increase in bandwidth from and to the firewall as well as routed through it. That comes at the cost of very slight increase of power consumption, but we figured that that is a price worth paying not only provide you a secure firewall, but also a fast one.


  • A change of the firewall policy might potentially be backwards-incompatible, but we saw no other way to improve the security of the system: Previously, systems on the ORANGE network were always allowed to connect to the Internet on RED. This was carried over from the very beginning of IPFire when the firewall user interface was way more basic and rules to change this behaviour could not be configured at all. Now, it makes a lot more sense to not have this default which was also not well-known and allow users to create rules to either allow or deny traffic like this.
  • The kdig utility is now available on command line which supports DNS lookups via TLS
  • Updated packages: apache 2.4.38, apr 1.6.5, curl 7.64.0, dhcpcd 7.1.1, ghostscript 9.26, logrotate 3.15, openssl 7.9p1, postfix 3.3.2, strongswan 5.7.2, tzdata 2018i


  • Jonatan has packaged borgbackup which is a tool that allows to create full or incremental backups of the firewall's file system.
  • powertop has been updated to version 2.10
  • tor has been updated to version
  • sendEmail has been fixed by Rob. The script had a wrong file ownership.

To help testing, you can download the installation images from here.

New year, new update ready for testing! We have been busy over the holidays and are bringing you an update that is packed with new features and many many performance improvements.

This is quite a long change log, but please read through it. It is worth it!

Squid 4.5 - Making the web proxy faster and more secure

We have finally updated to squid 4.5, the latest version of the web proxy working inside IPFire. It has various improvements in speed due to major parts being rewritten in C++.

We have as well changed some things on the user interface to make its configuration easier and to avoid any configuration mistakes.

One of the major changes is that we have removed a control that allowed to configure the number of child processes for each redirector (e.g. URL filter, Update Accelerator, etc.). This is now statically configured to the number of processors. Due to that, we only use as many processes as the system has memory for but allow to use maximum CPU power by being able to saturate all cores at the same time. That makes the URL filter and other redirectors faster and more efficient in their resource consumption. They will now also be launched at the start of the web proxy so that there is no wait any more for the first request being handled or when the proxy is under higher load.

We expect these improvements to make proxies that serve hundreds or even thousands of users at the same time to become faster by being more efficient.

We have dropped some features that no longer make sense in 2019: Those are the web browser check and download throttling by file extension. Since the web is migrating more and more towards HTTPS, those neither work for all the traffic, nor are they very reliable or commonly used.

We have also removed authentication against Microsoft Windows NT 4.0 domains. Those authentication protocols used back then are unsafe for years and nobody should be using those any more. Please consider this when updating to this release.

We have also mitigated a security issue in the proxy authentication against Microsoft Windows Active Directory domains. Due to squid's default configuration, an authenticated user was remembered by their IP address for up to one second. That means that with an authenticated browser, any other software coming from the same system was allowed for one second to send requests to the web proxy being properly authenticated. This could have been exploited by malware or other software running inside a virtual machine or similar services to get access to the internet without having valid credentials. This is now resolved and (re-)authorisation is always required.

New installations will now be recommended to set up a proxy with slightly more cache in memory and no cache on disk. Ultimately, this is something that should be considered for each installation individually, but is a better default than the previous values.

Furthermore, some minor usability improvements of the web proxy configuration page have been implemented.

DNS Forwarding

The DNS forwarding feature has been extended to make using it more flexible. It now accepts hostnames as well as IP addresses to forward requests to multiple servers that are found by resolving the hostname. It is also possible to add multiple servers as a comma-separated list so that multiple servers can be queries for one single domain. Before only one IP address was supported which rendered the domain unresolvable in case of that specific server becoming unreachable.

These changes allow to redirect requests to DNS blacklists for example directly to the right name servers and not worry about any changes of IP addresses at the provider. There is also load-balancing between multiple servers and the fastest server is being preferred so that DNS resolution for all domains is faster and more resilient, too.


  • Kernel modules that initialised framebuffer are no longer being loaded again. This cause some crashes on various hardware with processors from VIA and was a regression introduced by compression kernel modules with the last Core Update.
  • Creating certificates for IPsec and OpenVPN threw an error before which has now been fixed by ensuring that the internal certificate database is initialised correctly
  • We have enabled a Just-In-Time compiler for the Perl Regular Expressions engine. This will increase speed of various modules that use it like the Intrusion Detection system which might have significantly more throughput as well as speed of the URL filter and various other components on the system.
  • fireinfo now supports authentication against any upstream web proxies
  • Installing IPFire from ISO on i586-based systems failed because of a bug in the EFI code of the installer. This has now been fixed.
  • Installing IPFire on XFS filesystems is now also working again. Before, the installed system was not able to boot because GRUB did not support some modern file system features.
  • The description on which SSH port IPFire is listening has been fixed.
  • Connection Tracking support is now enabled by default for Linux Virtual Servers, i.e. layer-4 load-balancers.
  • GeoIP: Scripts have been updated to use a new format of the GeoIP database
  • Updated packages: bind 9.11.5-P1, ipvsadm 1.29, Python 2.7.15, snort 2.9.12, sqlite 3.26.0 which fixes a couple of security vulnerabilities, squid 4.5, tar 1.31 which fixes a couple of security vulnerabilities, unbound 1.8.3, wget 1.20.1


  • Updated packages: clamav 0.101.1, libvirt 4.10 which fixes some problems with stopping and resuming virtual machines, mc 4.8.22, transmission 2.94
  • The haproxy package now correctly handles its backup

Thanks as always to everyone who has contributed to make this Core Update happen. I am very excited to be able to ship these features as soon as possible and for that we need the help of our community to find any bugs as soon as possible. So, please help us testing!

The next update is available for testing! This update comes with a new kernel and security enhancements and will hopefully be released as the last maintenance update for this year. This change log is rather short, but the changes are very important.

Linux 4.14.86

The kernel has been updated to the latest version of the Linux 4.14.x branch which brings various improvements around stability, enhances performance and fixes some security vulnerabilities. This kernel also has major updates for the Spectre and Meltdown vulnerabilities that remove previously existent performance penalties in some use-cases.

The kernel's modules are now compressed with the XZ algorithm which will save some space on disk as the kernel is one of the largest components of IPFire.


  • openssl has been updated to 1.1.0j and 1.0.2q which fixes some minor security issues and has various bug fixes
  • The bind package has now changed to ship shared libraries which it did not before. Those allow that commands like dig and host use those shared libraries and are no longer statically linked. This makes the files a lot smaller.
  • Stéphane Pautrel has substancially improved the French translation of IPFire. Thank you very much for that!


  • Updated packages: bird 2.0.2, nano 3.2
  • New packages: shairport-sync