IPFire 2.29 - Core Update 200 is available for testing
IPFire 2.29 - Core Update 200 is now available for testing. This release represents quite an achievement for the project team and their community support network.
At its heart, this version features a rebase onto Linux kernel 6.18 LTS (specifically 6.18.7), bringing along all kinds of refinements under the hood. You can expect benefits like improved security defenses right out of the box, plus boosts to overall performance and system stability. These changes often translate into smoother network operations, potentially reducing delays here and there. And since it incorporates the newest hardware security features from Linux upstream as well, the base system itself is more secure than before.
One thing users should know about: if you're currently using ReiserFS as your filesystem type, this update might not play nice with that setup. It seems like support for ReiserFS has been dropped upstream in recent kernel versions, meaning they'll probably need to upgrade or reinstall onto a different filesystem, one of the supported options now.
Another exciting development is the new IPFire Domain Blocklist (DBL). This system aims to tackle the problem left by the retirement of the old Shalla list. It provides a fresh source for identifying domains you might want to block off, perhaps for filtering unwanted web traffic like malware or specific services. You can already use it in two ways: via the URL Filter itself, which lets you actively keep bad actors out based on domain names, and by integrating it with Suricata (the IDS/IPS engine). That helps Suricata do a better job analyzing network connections using methods like DNS/TLS/HTTP/QUIC, essentially making site-blocking more effective through deep packet inspection.
Beyond these headline changes, there are various smaller tweaks spread throughout the system. For example, the built-in Intrusion Prevention System now includes logic to automatically tidy up old signature data from its cache when things get cleaned up or signatures expire, helping keep storage usage down over time. The reporter utility has also been updated; it provides more detailed information for incidents spotted on DNS lines or involving HTTP/TLS/QUIC connections, which can help administrators dig deeper during investigations of potential security issues.
Elsewhere, the OpenVPN configuration system saw some updates, removing details about Maximum Transmission Unit size and One-Time Password (OTP) authentication tokens from within IPFire itself. Also re-added is support for older 802.11a/g wireless access points, something that might be welcome news if you rely on those specific devices.
On the networking side, Unbound, which handles DNS queries securely via DNSSEC, now runs using multiple threads internally to help speed things along and make responses faster when needed, especially under load or with large numbers of lookups. The new Domain Blocklist system is definitely part of this push towards more robust network filtering capabilities.
Security-wise, it's good the core OpenSSL library has been refreshed to version 3.6.1. And patches have addressed several known issues in glibc too, including CVE-2026-0861, CVE-2026-0915, and CVE-2025-15281, just for starters.
Then there are all the little package upgrades: IPFire has kept its system up-to-date with security fixes or newer features in software like Apache (web server), bash (shell), BIND (DNS resolver), coreutils, cURL, dhcpcd (DHCP client/server), elinks (text WWW browser), GnuPG (encryption tool), glib, harfbuzz (harfBuzz library for text shaping), intel-microcode (CPU microcode updates), libarchive, libcap-ng (capabilities handling), and libgpg-error. The list goes on.
The update naturally bundles a bunch of minor add-ons too, items like alsa (sound driver interface), ClamAV (anti-virus scanner), dnsdist, fetchmail (POP/IMAP mail retrieval tool), gdb (debugger), Git, fort-validator, freeradius (RADIUS server), opus (audio codec library), postfix (MTA email delivery system), samba (file sharing software), strace (system call tracing utility), tmux (terminal multiplexer), Tor, and tshark, many of them upgraded to their latest stable iterations. It's just part of keeping the whole platform current and reliable.
