IPFire ships its 200th core update with a new domain blocklist and kernel upgrade

Network firewall distribution IPFire released Core Update 200, marking the 200th incremental update to the 2.29 branch. The release bundles a kernel upgrade, a beta domain blocklist service, security patches for OpenSSL and glibc, and a range of component updates.

The kernel has been rebased on Linux 6.18.7 LTS, bringing updated hardware security mitigations alongside network throughput and latency improvements. Linux developers deprecated ReiserFS support in this kernel line, and IPFire installations running on that filesystem cannot apply the update without first reinstalling on a supported filesystem.

IPFire DBL enters beta

The release introduces IPFire DBL, a domain blocklist the project is building to replace the retired Shalla list, which the web proxy previously relied on to filter malware, social networking, and adult content. DBL is available in two places: the URL filter for proxy-based blocking, and as a Suricata rules source. When used with Suricata, the blocklist enables deep packet inspection across DNS, TLS, HTTP, and QUIC connections.

The project describes DBL as an early beta and is soliciting community feedback. A DNS Firewall with native content filtering is listed on the roadmap as the next major milestone.

Suricata and IPS changes

A cache management fix addresses a bug introduced in the previous update, where Suricata’s pre-compiled signature cache grew without limit and consumed disk space. A backported patch now causes Suricata to clean up unused signatures automatically.

The Suricata reporter has been updated to surface hostname information and additional protocol metadata for alerts involving DNS, HTTP, TLS, and QUIC connections. That data will appear in alert emails and PDF reports, giving administrators more context when investigating policy violations.

OpenVPN configuration updates

Several OpenVPN client configuration behaviors have changed. MTU values will now be pushed from the server rather than baked into client configs, giving administrators flexibility to adjust the value after deployment. The OTP authentication token will also be pushed server-side when OTP is enabled. The CA certificate has been removed from client configuration files because it is already contained in the PKCS12 container; its presence was causing import failures in NetworkManager on the command line.

DNS proxy goes multi-threaded

Unbound, the DNS proxy component, will now launch one thread per CPU core. Previously it ran on a single thread. The change is expected to reduce response times under load.

Wireless access point fixes

Support for 802.11a/g has been restored after being dropped unintentionally in a prior release. A separate fix prevents hostapd from flooding logs with debug output when debugging is enabled. PSK values containing special characters are now accepted.

Security patches

OpenSSL has been updated to version 3.6.1, patching twelve CVEs: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, and CVE-2026-22796. The glibc library received patches for CVE-2026-0861, CVE-2026-0915, and CVE-2025-15281.

Package updates

Notable component versions in this release include Apache 2.4.66, BIND 9.20.18, cURL 8.18.0, OpenVPN 2.6.17, strongSwan 6.0.4, Suricata 8.0.3, Unbound 1.24.2, ClamAV 1.5.1, Samba 4.23.4, and Tor 0.4.8.21.

Must read:

• 40 open-source tools redefining how security teams secure the stack
• Firmware scanning time, cost, and where teams run EMBA

Subscribe to the Help Net Security ad-free monthly newsletter to stay informed on the essential open-source cybersecurity tools. Subscribe here!