IPFire Core Update 200 (2.29) Brings Linux Kernel 6.18 LTS and a First Look at the New DNS Firewall
The latest Core Update 200 for IPFire 2.29 delivers the long‑term‑supported Linux 6.18 kernel, a preview of the brand‑new Domain Blocklist (DBL), dozens of package upgrades, performance tweaks, and hardened security fixes that keep network traffic running smoothly.
What’s Inside the Update
The heart of this release is the kernel bump to 6.18 LTS. Admins will notice quicker packet filtering, lower latency on saturated links, and new hardware mitigations against speculative‑execution attacks. The DBL preview replaces the now‑obsolete Shalla list; it can be pulled by the web proxy or Suricata for deep‑packet inspection of DNS/TLS/HTTP/QUIC traffic. Package updates include Apache 2.4.66, OpenSSL 3.6.1, BIND 9.20.18, and Suricata 8.0.3, among many others.
A side effect worth mentioning: if an installation is still on ReiserFS, the update will refuse to install because that filesystem has been officially dropped by Linux maintainers. In practice users have had to back up data, switch to ext4 or XFS, and reinstall IPFire before they could apply the patch.
How to Apply It Safely
First log in to the web interface with an account that has system‑administration privileges. Then navigate to System Updates; the page will display the available update as “IPFire 2.29 – Core Update 200.” Click Update Now and confirm when prompted. The installer will automatically back up configuration files before overwriting binaries, so a rollback is possible if something goes wrong.
During the process the machine will reboot once the kernel image is swapped in. If the system was running a critical service—such as a VPN or firewall rule set—admins should schedule the update for off‑peak hours to avoid downtime.
Why the New DNS Firewall Matters
The preview of IPFire’s DNS Firewall is not just another blocking list; it offers native content filtering at the DNS layer, eliminating the need for separate proxy appliances. The system can block advertising domains, malware command‑and‑control sites, and adult content before they even hit a browser. For small businesses that rely on a single appliance to enforce policy, this integration means fewer moving parts and tighter control over what users can resolve.
Suricata and Deep Packet Inspection Gains
Suricata now pulls DBL rules into its signature cache automatically. Admins who previously had to edit rule files manually will find that the IPS engine refreshes itself during normal operation. The new cache cleanup patch stops disk space from ballooning; after a month of usage on a busy network, the signature directory stayed under 100 MB instead of creeping toward several gigabytes.
Because Suricata can now inspect encrypted traffic, a recent test in a university lab showed that phishing attempts over TLS dropped by nearly 30 % after the update, thanks to real‑time domain matching.
OpenVPN Changes: MTU and OTP
The client configuration files no longer embed an MTU value. The server pushes it instead, which means administrators can adjust packet size per connection without regenerating certificates. This change is backward compatible for most clients but older ones that expect a static MTU may lose connectivity until they update.
OTP tokens are now sent by the server as well, simplifying client setup for two‑factor authentication. In practice this eliminates a common point of failure when users forget to enable OTP in their profiles.
Wireless Access Point Tweaks
Support for 802.11a/g has been re‑enabled after years of being disabled by default. Users who rely on older Wi‑Fi hardware will see faster throughput and fewer dropped packets. Hostapd now logs less debugging information even if the debug flag was left on, which keeps log files from filling up overnight.
Special‑character PSK values are accepted without escaping, a welcome change for those who previously had to work around this limitation when generating passphrases with random symbols.
Security Patches: OpenSSL and glibc
OpenSSL 3.6.1 includes patches against six critical CVEs from late 2025, covering issues like incorrect padding checks and integer overflows. glibc received updates for three more CVE fixes that affect memory handling in network libraries. While these changes are invisible to day‑to‑day use, they harden the core of IPFire against a broad class of exploits.
When Things Go Wrong: Common Issues
Because the update requires a supported filesystem, users who had never migrated off ReiserFS encountered an “unsupported filesystem” error message. The easiest fix is to back up the /var/lib/IPFire directory, re‑install on ext4 or XFS, and restore the backup.
Some older OpenVPN clients reported connection failures after the MTU push change. Switching the client configuration to include tun-mtu 1500 restored compatibility in those cases.
How to Give Feedback or Donate
The IPFire team is actively collecting feedback on the DBL preview. Admins can submit a pull request with a new domain list or report false positives via the community forum. For those who appreciate the effort, a small donation helps accelerate the development of the full DNS Firewall and other future features.
That’s it for this update. The next steps are simple: apply the patch, check that your VPN and wireless clients still work, and start experimenting with DBL rules to see how much unwanted traffic you can block before it ever reaches a browser.
