IPFire 2.29 Core Update 201 adds DNS Firewall to block threats before they connect
IPFire 2.29, Core Update 201 finally delivers the DNS Firewall feature that has been on everyone's wishlist for years. This update lets you block malware, phishing, and ads at the network level without touching client devices or running a separate Pi-hole instance. You also get a refreshed toolchain and fixes for common installer quirks that make the whole system more stable.
The DNS Firewall changes how IPFire handles threats
Every device on your network resolves domain names through IPFire's DNS proxy, and the new firewall sits right in that pipeline to evaluate queries against IPFire DBL before a response reaches the client. If a domain is malicious, the client gets an NXDOMAIN response so the request dies at the gateway without ever attempting a connection. Blocklist updates arrive via IXFR incremental zone transfers directly into the DNS proxy, which means your lists refresh within the hour automatically with minimal bandwidth overhead and no manual intervention required.
Why you can finally ditch URL Filter and Pi-hole
Plenty of users run a Pi-hole alongside their firewall just to get basic ad blocking and threat protection, which creates a mess of two devices, two configs, and two points of failure. The DNS Firewall replaces both tools because it requires no explicit proxy configuration on client machines and uses the fact that your firewall is already the single point where all DNS traffic flows. The old URL Filter was designed for a web that does not exist anymore, and trying to get HTTPS inspection working correctly usually ends in frustration and broken sites, so moving filtering to the DNS layer removes those headaches entirely.
Toolchain rebase and system improvements
IPFire 2.29 Core Update 201 rebases the distribution on glibc 2.43 and GNU binutils 2.46.0, which keeps the fundamental libraries current for better hardware support and security hardening across all userspace components. The update also fixes a race condition in web proxy firewall rules by adding the --wait flag to prevent issues during rapid rule insertion, a change that matters if you manage heavy rule sets. Other improvements include configurable recipients for daily, weekly, and monthly IDS reports, an updated kernel configuration for RISC-V devices, and a network installer fix that allocates more disk space to accommodate larger ISO downloads. Rust packages that are no longer needed have been removed to reduce build overhead and shrink the attack surface.
Add-on updates and the removal of 7zip
The Wireless Access Point add-on corrected an inverted description for the neighborhood scan feature and added a Dutch translation, while the package collection received updates for Git, Samba, Postfix, and tshark among others. IPFire removed the 7zip package because the upstream project is no longer maintained, and shipping unmaintained software goes against the security posture of a firewall distribution. The release includes updates to BIND 9.20.20, OpenSSL 3.6.1, OpenVPN 2.6.19, Suricata reporter 0.7, and vim 9.1.2147 as part of the broader package refresh.
How to apply Core Update 201 safely
Install the update through Pakfire like you normally would, but do not skip the reboot step since the developers recommend restarting the system to ensure all components run the new versions and the toolchain changes take full effect. You can download the ISO image for fresh installs from this page. If you find a problem, report it on the bug tracker or the IPFire community forum so the team can address issues before they affect more users.
Give the DNS Firewall a spin and see how much cleaner your network traffic looks when threats get blocked at the source. Happy firewalling.
