IPFire, a Linux-based open-source firewall distribution designed for network security, routing, VPN, intrusion prevention, and related gateway tasks, has issued IPFire 2.29 Core Update 201. According to devs, this is one of its more significant recent releases because it adds a long-requested DNS filtering layer directly into IPFire’s DNS handling path.
The DNS Firewall checks DNS queries against IPFire DBL, the project’s curated domain blocklist, before responding to the client. If a domain is blocked, IPFire returns an NXDOMAIN response, making the domain appear nonexistent. This approach enables IPFire to block malware, phishing, advertising, and unwanted content before the client attempts a connection.
This feature replaces IPFire’s previous URL Filter. Unlike proxy-based filtering, DNS Firewall does not require client-side proxy configuration or HTTPS inspection. Developers also position it as an alternative to running a separate Pi-hole instance, since filtering now occurs directly on the firewall managing DNS traffic for the network.
On top of that, Core Update 201 also improves Intrusion Prevention System reporting by allowing separate recipients for daily, weekly, and monthly IDS reports.
The update also includes improvements to IPFire’s experimental RISC-V build, with a refreshed kernel configuration. The network installer now allocates more disk space when booted over the network to accommodate the larger ISO download. Unneeded Rust packages have been removed, and web proxy firewall rules are now created with the --wait flag to prevent race conditions during rule insertion.
Core package updates include BIND 9.20.20, coreutils 9.10, expat 2.7.4, fuse 3.18.1, harfbuzz 12.3.2, intel-microcode 20260210, iptables 1.8.12, krb5 1.22.1, libgcrypt 1.12.0, ncurses 6.6, OpenVPN 2.6.19, OpenSSL 3.6.1, PAM 1.7.2, Ruby 4.0.1, Suricata Reporter 0.7, Vim 9.1.2147, xfsprogs 6.18.0, and zlib-ng 2.3.3.
The add-on collection receives updates, including ddrescue 1.30, fping 5.5, Git 2.53.0, minicom 2.11, nano 8.7.1, nfs 2.8.5, Postfix 3.10.7, Samba 4.23.5, and tshark 4.6.4. The Wireless Access Point add-on corrects an inverted description for Neighbourhood Scan and adds a Dutch translation.
Finally, the 7zip add-on has been removed, as the upstream project is no longer maintained.
For more details, see the announcement.
Core Update 201 is already available for download on IPFire’s website. Two build flavors cover the most common hardware: x86_64 and aarch64 for those needing a fresh install. Existing systems can be upgraded via IPFire’s web UI or the pakfire update command.
