Network firewall distribution IPFire has released Core Update 200, marking the 200th incremental update to the 2.29 branch. This update includes a kernel upgrade, a beta domain blocklist service, security patches for OpenSSL and glibc, and several component updates.
The kernel is now based on Linux 6.18.7 LTS, which introduces improved hardware security mitigations along with enhancements to network throughput and latency. However, Linux developers have deprecated ReiserFS support in this kernel line. As a result, IPFire installations using that filesystem will need to be reinstalled on a supported filesystem before applying the update.
IPFire DBL Enters Beta
The new release also features IPFire DBL, a domain blocklist that aims to replace the retired Shalla list. The previous version of the web proxy relied on this list to filter out malware, social networking, and adult content. DBL is accessible in two formats: through the URL filter for proxy-based blocking and as a Suricata rules source. When integrated with Suricata, the blocklist facilitates deep packet inspection across DNS, TLS, HTTP, and QUIC connections.
The project characterizes DBL as an early beta and is actively seeking feedback from the community. Looking ahead, a DNS Firewall with native content filtering is planned as the next significant milestone.
Suricata and IPS Changes
A fix for cache management addresses a bug from the previous update that caused Suricata’s pre-compiled signature cache to grow uncontrollably, consuming excessive disk space. A backported patch has been implemented to ensure Suricata automatically cleans up unused signatures.
The Suricata reporter has also been updated to include hostname information and additional protocol metadata for alerts related to DNS, HTTP, TLS, and QUIC connections. This data will be included in alert emails and PDF reports, offering administrators greater context when investigating policy violations.
OpenVPN Configuration Updates
Several behaviors related to OpenVPN client configuration have been modified. MTU values will now be pushed from the server, rather than being hard-coded into client configurations. This change allows administrators to adjust MTU values post-deployment. Additionally, the OTP authentication token will now be delivered from the server when OTP is enabled. The CA certificate has been removed from client configuration files, as it is already included in the PKCS12 container; its presence was causing import issues in NetworkManager via the command line.
DNS Proxy Goes Multi-Threaded
The Unbound DNS proxy component will now utilize one thread per CPU core instead of running on a single thread. This modification is expected to decrease response times under high load conditions.
Wireless Access Point Fixes
Support for 802.11a/g has been reinstated after being unintentionally removed in a previous release. Additionally, a fix has been implemented to prevent hostapd from excessively logging debug output when debugging is enabled. PSK values that include special characters are now accepted as well.
Security Patches
The OpenSSL library has been upgraded to version 3.6.1, addressing twelve CVEs: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. The glibc library has received patches for CVE-2026-0861, CVE-2026-0915, and CVE-2025-15281.
Package Updates
Key component versions in this release include Apache 2.4.66, BIND 9.20.18, cURL 8.18.0, OpenVPN 2.6.17, strongSwan 6.0.4, Suricata 8.0.3, Unbound 1.24.2, ClamAV 1.5.1, Samba 4.23.4, and Tor 0.4.8.21.
