IPFire 2.29 Core Update 202 Brings Kernel Hardening and Faster VPNs
IPFire 2.29 Core Update 202 has been released for testing with a newer Linux kernel, OpenVPN 2.7, and a handful of quiet fixes that actually matter for daily firewall management. This release swaps out old package versions, patches two local privilege escalation flaws, and finally lets the DNS proxy talk to the outside world without manual rule hunting. Network administrators who run IPFire in production or just prefer their network gear to stop eating disk space should test this update before pushing it live.
Kernel Updates and Why They Matter for Firewalls
The base kernel jumps to version 6.18.28, which closes two local privilege escalation bugs that could let a logged in user grab root access. Dirty Frag targets the IPsec module while Copy Fail exploits the cryptographic subsystem. Neither of these threats really applies to a standard firewall setup since IPFire does not hand out unprivileged shell accounts or allow random users to log into the console. Still, running patched kernels is basic defense in depth. A misconfigured service or a compromised admin credential could still expose the system if the kernel stays outdated. The glibc DNS response flaw also gets patched here, which stops reverse lookups from returning bogus hostnames that could mess up logging or access controls down the line.
OpenVPN 2.7 and Data Channel Offload in IPFire 2.29 Core Update 202
OpenVPN moves to version 2.7 with kernel accelerated data channel offloading enabled where hardware supports it. Instead of forcing every encrypted packet through the userspace daemon, the kernel handles encryption and decryption directly. That shift pushes throughput from around one gigabit per tunnel up toward ten gigabits while dropping CPU spikes and jitter. VPN tunnels often choke on older builds when multiple clients push heavy traffic or run constant background syncs. The new setup keeps latency steady even when the link gets busy. Client configurations will still need to match the updated protocol defaults, but the transition has already been smoothed out in previous IPFire updates.
Quiet Fixes That Save Disk Space and Headaches
Logging performance stats for an IPS is pointless bloat that just fills disk space without helping anyone troubleshoot actual attacks. Core Update 202 stops those logs, rotates the remaining files daily instead of weekly, and automatically wipes old entries. Firewall rules for comma separated port lists finally apply correctly after a long standing bug caused partial or failed rule creation. A typo in an IPsec script also gets fixed so shutdown tunnels no longer leave behind zombie firewall rules that clutter the table over time. The DNS proxy now allows outbound traffic without forcing users to write custom allow rules, which cuts down on support tickets and configuration drift.
Package Rollout and Add On Updates
Every major component gets refreshed in this release. Apache, OpenSSL, OpenSSH, Suricata, systemd, and BIND all move to newer versions that close known vulnerabilities and improve stability. The add on packages follow the same pattern with updates for FRR, HAProxy, Tor, Samba, Zabbix, and transmission. BOGON blocklist links also get refreshed so the firewall keeps blocking bogon traffic without manual intervention. Testing this update on a spare machine or in a lab environment will catch any edge case before it touches production gear. The package list is long but standard for a core release that touches the base system.
Give your test box a spin and report back if anything breaks. Network gear only stays reliable when you actually check what changes under the hood.
