IPFire, a Linux-based open-source firewall distribution designed for network security, routing, VPN, intrusion prevention, and related gateway tasks, has issued IPFire 2.29 Core Update 202.
The release rebases IPFire’s kernel on Linux 6.18.32 to address several recent Linux kernel vulnerabilities, including Dirty Frag and Copy Fail.
IPFire notes that both issues require local unprivileged shell access, which is not part of its default firewall model. Systems normally provide console access only to the administrator, with no unprivileged shell users logged in. Even so, the update is recommended because it also includes fixes for other system components.
Another change is the update to OpenVPN 2.7.3, which adds support for Data Channel Offloading. With DCO, OpenVPN traffic encryption and decryption are handled in the kernel instead of passing packets through the OpenVPN daemon.
According to the IPFire team, this significantly improves VPN performance. They report throughput increases from 1 Gbit/s to 10 Gbit/s per tunnel, along with reduced jitter and lower CPU use due to better hardware crypto acceleration.
Core Update 202 also fixes several firewall and networking issues. Firewall rules using multiple ports in comma-separated lists now apply correctly. The Intrusion Prevention System no longer writes statistics logs that could consume large disk space. Existing affected logs are removed automatically by the updater, and remaining IPS logs are rotated daily instead of weekly.
The IPFire DNS Proxy now has outbound access without extra firewall rules. IPsec also receives a fix for an issue where automatically generated firewall rules were not removed after a tunnel shutdown due to a typo in a script.
Additionally, the update includes a glibc fix for a reverse-DNS issue in which a crafted DNS response could cause gethostbyaddr and gethostbyaddr_r to treat a non-answer section as a valid answer.
A large set of core packages has been updated as well, including Apache 2.4.67, BIND 9.20.22, cURL 8.20, expat 2.8, GnuTLS 3.8.13, intel-microcode 20260227, iproute2 7.0, OpenSSH 10.3p1, OpenSSL 3.6.2, strongSwan 6.0.6, Suricata 8.0.5, systemd 260.1, Unbound 1.25.1, wireguard-tools 1.0.20260223, and XZ 5.8.3.
Updated add-on packages include arpwatch 3.9, dnsdist 2.0.5, ffmpeg 8.1, FRR 10.6, Git 2.54.0, HAProxy 3.2.15, htop 3.5.1, iperf3 3.21, keepalived 2.3.4, libvirt 12.3, nano 9.0, nmap 7.99, Postfix 3.11.1, rsync 3.4.2, Samba 4.24.1, Tor 0.4.9.7, transmission 4.1.1, tshark 4.6.5, and Zabbix Agent 7.0.24 LTS.
For additional details, see the announcement.
IPFire 2.29 Core Update 202 is available for download on IPFire’s website. Two build flavors cover the most common hardware: x86_64 and aarch64 for those needing a fresh install. Existing systems can be upgraded via IPFire’s web UI or the pakfire update command.
