The IPFire project has released Core Update 200 for version 2.29, rebasing the distribution on Linux kernel 6.18.7 LTS and previewing a new Domain Blocklist system. This update enhances network performance, security, and filtering capabilities while addressing compatibility issues for certain filesystems.
IPFire, an open-source Linux-based firewall distribution, issued Core Update 200 on March 2, 2026. The update rebase the system on Linux kernel 6.18.7 LTS, which offers improvements in network throughput, latency, packet filtering, and hardware security mitigations. According to the developers, this results in more stable connections under high load and faster packet processing.
A significant change involves the deprecation of ReiserFS support in the kernel. Systems using ReiserFS cannot install the update and require reinstallation on a supported filesystem such as ext4 or Btrfs, with data backup and restoration advised. IPFire had previously warned users about this via the web interface.
The update introduces IPFire DBL, a preview of the project's own Domain Blocklist, developed after the Shalla list's retirement in January 2022. DBL provides a curated, community-maintained database of domains categorized for blocking malware, phishing, advertising, pornography, gambling, gaming sites, and DoH servers. Updates occur hourly, and it is licensed under GPLv3+ for code and CC BY-SA 4.0 for data. DBL integrates with the URL filter for proxy blocking or Suricata for deep packet inspection across DNS, TLS, HTTP, and QUIC protocols, offering detailed alerts. It is compatible with tools like Pi-hole, BIND, Unbound, pfSense, SquidGuard, and Adblock-Plus. Community members can report issues or suggest additions online.
Performance enhancements include multi-threading in the Unbound DNS proxy, with one thread per CPU core for faster responses on multi-core systems. PPP connections now send LCP keepalive packets only when inactive, reducing overhead on DSL, 4G, and 5G links. OpenVPN configurations have been revised: the MTU is no longer hardcoded in client files but pushed by the server, along with one-time password tokens when enabled; the CA certificate is removed from clients as it is included in the PKCS#12 container. This aims to improve flexibility and reduce errors, though older clients may face compatibility issues.
Wireless access point support restores 802.11a/g modes, fixes excessive hostapd debug logging, and properly accepts pre-shared keys with special characters. Suricata addresses a signature cache issue from the prior update that caused unlimited growth and disk space consumption; reporting now includes hostname and protocol details for DNS, HTTP, TLS, and QUIC alerts in emails and PDFs.
Security updates feature OpenSSL 3.6.1, fixing CVEs including CVE-2025-15467 (stack overflow with potential remote code execution), CVE-2025-11187 (PKCS#12 buffer overflow), and CVE-2025-66199 (TLS 1.3 DoS). glibc receives fixes for CVEs such as CVE-2026-0861, CVE-2026-0915, and CVE-2025-15281. Other core components updated include Apache 2.4.66, OpenVPN 2.6.17, Suricata 8.0.3, Unbound 1.24.2, Rust 1.92, and BIND 9.20.18. Add-ons refreshed are ClamAV 1.5.1, Tor 0.4.8.21, Samba 4.23.4, and Git 2.52.
Core Update 200 is available for x86_64 and aarch64 architectures via download for fresh installs or through the web UI and pakfire command for upgrades. Developers plan to build a DNS firewall on DBL for native content filtering against ads and malware, independent of proxies.
