https://n00bunlimited.net/ vBulletin Forums en Tue, 14 Apr 2026 07:45:42 GMT vBulletin 60 https://n00bunlimited.net/images/misc/rss.png https://n00bunlimited.net/ https://n00bunlimited.net/home/forum/site-news/ipfire/80476-ipfire-2-29-core-update-201-is-available-for-testing Thu, 12 Mar 2026 11:13:02 GMT We are pleased to announce a new testing release of IPFire! It brings you our DNS firewall - a feature that so many of you have been waiting for -...
We are pleased to announce a new testing release of IPFire! It brings you our DNS firewall - a feature that so many of you have been waiting for - together with a large toolchain rebase, a wide range of updated package and the usual bunch of various improvements across the entire system.

Hello DNS Firewall

The wait is over. One of the most requested features in IPFire's history is finally here, and it fundamentally changes what your firewall is capable of. The DNS Firewall transforms IPFire from a network gatekeeper into an active threat eliminator — blocking malware, phishing, advertising, and unwanted content before a single byte of malicious data ever touches your network.

For full details, see the DNS Firewall documentation and the DNS Firewall roadmap page.

How it works

Every device on your network resolves domain names through IPFire's DNS proxy. The DNS Firewall sits inside that pipeline and evaluates every query against IPFire DBL — our own curated, continuously updated domain blocklist — before a response ever reaches the client. Blocked domains receive an NXDOMAIN response: to the client, the domain simply does not exist. No connection is attempted, no content is fetched, and no trace of the request leaves your network.

As a first to offer this to a large user-base, blocklist updates are delivered via IXFR — incremental DNS zone transfers directly into the DNS proxy — meaning your lists are refreshed within the hour, automatically, with no manual intervention and minimal bandwidth overhead.

Goodbye URL Filter. Goodbye Pi-hole.

If you have been running the URL Filter, you already understand the frustration: clients need explicit proxy configuration, HTTPS inspection is a minefield, and the entire approach was designed for a web that no longer exists. If you have been running a Pi-hole alongside IPFire to compensate, you have been maintaining a second device, a second software stack, and a second security boundary — all to do something your firewall should have been doing all along.

The DNS Firewall replaces both. It requires no client configuration, no additional hardware, and no compromises. Your firewall is already the single point through which all DNS traffic flows — it has always been the right place for this.

Miscellaneous Improvements

• Intrusion Prevention System It is now possible to configure different recipients for daily, weekly, and monthly IDS reports — useful for teams where different people are responsible for different reporting cadences.
• RISC-V Arne.F has updated the kernel configuration on the experimental build for RISC-V devices.
• Network Installer The installer now allocates more disk space when booting from the network, accommodating the increased size of the ISO download.
• Rust Cleanup Stefan Schantl has removed Rust packages that were no longer needed in the distribution, reducing build overhead and attack surface.
• Web Proxy Firewall Rules Rules are now created with the --wait flag, preventing race conditions during rule insertion.
• Toolchain Update IPFire has been rebased on the latest versions of glibc 2.43 and GNU binutils 2.46.0. These are the fundamental libraries and binary tools that underpin all userspace components inside IPFire. Keeping them current ensures better hardware support, improved security hardening, and a solid foundation for all packages built on top of them.
• The following packages have been updated in this release: asciidoctor 2.0.26, BIND 9.20.20, binutils 2.46.0, ccache 4.12.3, conntrack-tools 1.4.9, coreutils 9.10, dejagnu 1.6.3, expat 2.7.4, fuse 3.18.1, gettext 1.0, glibc 2.43, harfbuzz 12.3.2, hwdata 0.404, intel-microcode 20260210, iptables 1.8.12, jansson 2.15.0, krb5 1.22.1, less 692, libgcrypt 1.12.0, libnetfilter_conntrack 1.1.1, libpng 1.6.55, libtalloc 2.4.4, libuv 1.52.0, libxcrypt 4.5.2, m4 1.4.21, ncurses 6.6, OpenVPN 2.6.19, OpenSSL 3.6.1, p11-kit 0.26.2, PAM 1.7.2, procps 4.0.6, Ruby 4.0.1, suricata-reporter 0.7, vim 9.1.2147, wireless-regdb 2026.02.04, xfsprogs 6.18.0, zlib-ng 2.3.3

Add-ons

• Wireless Access Point
  • The description for the Neighbourhood Scan was previously inverted and has been corrected.
  • Adolf Belka has contributed a Dutch translation for this package.
• Updated Add-on Packages: ddrescue 1.30, fping 5.5, Git 2.53.0, minicom 2.11, nano 8.7.1, nfs 2.8.5, Postfix 3.10.7, Samba 4.23.5, tshark 4.6.4
• The 7zip package has been removed from the add-on collection. The upstream project is no longer maintained, and continuing to ship unmaintained software is not consistent with IPFire's security posture.

---

This is a testing release. We encourage all users who are able to run non-production hardware to give it a try and report any issues, particularly around the new DNS Firewall feature. Your feedback at this stage directly shapes the quality of the stable release.

Please report issues on the IPFire community forum or the bug tracker.


More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80476-ipfire-2-29-core-update-201-is-available-for-testing https://n00bunlimited.net/home/forum/site-news/steam-news/80475-team-fortress-2-update-released Wed, 11 Mar 2026 19:40:08 GMT An update to Team Fortress 2 has been released. The update will be applied automatically when you restart Team Fortress 2. The major changes include:...

Fixed client crash related to material proxies

Fixed Scout.NegativeVocalization04 sounds in Mann vs. Machine not playing because of a typo in the volume (community fix from That Hat Guy)

Fixed The Spy-cicle not using its icicle lightwarp (community fix from BreavyTF2)

Updated material for cp_coldfront to fix compression issue

Updated the prop for Taunt: Heartbreaker to fix a missing material

Updated koth_demolition

• Fixed a player clip on the helipad allowing players to stand outside the playable area (thanks Midnite)
• Fixed some player clip pixel walks on some doors
• Fixed a blockbullets floating above BLU spawn (thanks True_Boredom)

An update to Team Fortress 2 has been released. The update will be applied automatically when you restart Team Fortress 2. The major changes include:

• Fixed client crash related to material proxies
• Fixed Scout.NegativeVocalization04 sounds in Mann vs. Machine not playing because of a typo in the volume (community fix from That Hat Guy)
• Fixed The Spy-cicle not using its icicle lightwarp (community fix from BreavyTF2)
• Updated material for cp_coldfront to fix compression issue
• Updated the prop for Taunt: Heartbreaker to fix a missing material
• Updated koth_demolition
  • Fixed a player clip on the helipad allowing players to stand outside the playable area (thanks Midnite)
  • Fixed some player clip pixel walks on some doors
  • Fixed a blockbullets floating above BLU spawn (thanks True_Boredom)

More...]]> Steam News siosios https://n00bunlimited.net/home/forum/site-news/steam-news/80475-team-fortress-2-update-released https://n00bunlimited.net/home/forum/site-news/steam-news/80474-team-fortress-2-update-released Fri, 06 Mar 2026 18:11:38 GMT An update to Team Fortress 2 has been released. The update will be applied automatically when you restart Team Fortress 2. The major changes include:...

Fixed an issue where players could impersonate TF2 system messages by exploiting color control codes

Fixed a bug where certain custom maps would not load assets correctly on Linux

Fixed some crashes relating to singleplayer TF2 SDK mods

Fixed a memory leak on long running servers related to dynamic models

Fixed client crash related to invalid D3D texture flag

Fixed hearing teleporter spin sound when carried (community fix from Brandon Little)

Fixed objects sometimes using the incorrect activity when being placed (community fix from Brandon Little)

Improved Medi Gun heal target selection to prioritize teammate directly under crosshair when teammates are close together (community fix from wget)

Improved targetid selection to replicate Medi Gun heal target selection (community fix from wget)

Added missing Steam Controller inputs for loadout menus (community fix from Ashetf2)

Fixed 3D HUD using the incorrect animations while holding the PASS Time ball (community fix from gidi30)

Fixed network state changes for player condition vars (community fix from ficool2)

Fixed sentry rockets not sending the object_deflected game event when deflected (community fix from The Fatcat)

Fixed Stat Clocks not drawing correctly in UI using playermodelpanel (community fix from rabscootle)

Fixed flipped initial pitch/yaw on thirdperson switch (community fix from ficool2)

Fixed Short Circuit projectile offset ignoring cl_flipviewmodels (community fix from birchish)

Fixed Dragon's Fury fireballs having incorrect projectile path (community fix from wget)

Fixed for mismatched cl_flipviewmodels values between client and server (community fix from birchish)

Fixed cloak and rage meters being mispredicted (community fix from ficool2)

Fixed prediction issues with Spy watches and cloak (community fix from ficool2)

Fixed Casual doors player list sometimes using wrong size (community fix from nemmy)

Fixed missing alpha mask for generator_01 (community fix from BreavyTF2)

Fixed BuildingRescueLevel proxy overwriting TextureScroll on Rescue Ranger oscilloscope (community fix from Voids29)

Fixed Botkiller team color bugs (community fix from DiskIntegrity)

Fixed Scout.NegativeVocalization04 sound not playing because of a typo in the volume

Renamed sd_marshlands to htf_marshlands (hold the flag) to accurately describe its game mode

Updated the Festivizer model for The Overdose to fix a problem with the LODs

Updated the Mann of the Hour to make the hair blend better with the hat and Scout's skin

Updated/Added some tournament medals

Updated The Bare Necessities to fix not moving correctly while taunting

Updated the rigging for The Headliner to fix the pocket and tie stretching during some taunts and default poses

Updated alpha channel for Hydro water texture to remove inconsistencies

Updated the Case of the Blues

• Updated rigging to fix intense stretching during taunt poses
• Updated materials to look less flat

Updated the taunt prop for Taunt: Heartbreaker

• Updated the materials to add ambient occlusion
• Updated the phong and rim lighting to show albedo tint
• Updated the materials to add more depth
• Updated the model to fix missing faces
• Updated the model to fix stretching on lower LODs

Updated pl_frontier_final to fix invisible func_detail water near BLU spawn (community fix from ObsoleteGuy)

Updated cp_frostwatch to fix first point death pit being survivable with ÜberCharges on Stage 1

Updated cp_manor_event to fix invisible func_detail water near BLU spawn (community fix from ObsoleteGuy)

Updated koth_demolition

• Updated map lighting to make it more like a sunset, as well as giving it a more golden color
• Replaced the models used for the capture point lights with a different one which has better collision and illumination
• Reworked the capture point platform to give it a stronger design
• Reworked all the catwalks to give them a more stylized look
• Reworked the lighting in all the furnace rooms to make them less dark and have a more neutral look
• Reverted a previous change to the capture point team change steam whistle
• Removed all ambient_generics near the furnaces and fire pipe
• Reworked the soundscapes to make them more efficient and work properly
• Reworked the control room of the crane to give it a better design
• Reworked some ropes from the crane to give them a better look
• Fixed some props fading out incorrectly
• Fixed ships in the 3d skybox casting shadows
• Fixed cubemaps missing on parts of the map
• Fixed reflective surfaces not having a cubemap attached to them
• Added a 128x128 cubemap on the control point so it is more reflective (thanks Zythe)
• Improved water cubemaps
• Restructured the spawn platform so players spawn looking at the shortcut, and don't need to pull a U-turn to exit spawn (thanks Lizard of Oz)
• Improved the visuals on the spawn platform to fit the previous change
• Fixed a blockbullets allowing players to stand on the exterior side of the helipads (thanks Yazoo)

An update to Team Fortress 2 has been released. The update will be applied automatically when you restart Team Fortress 2. The major changes include:

• Fixed an issue where players could impersonate TF2 system messages by exploiting color control codes
• Fixed a bug where certain custom maps would not load assets correctly on Linux
• Fixed some crashes relating to singleplayer TF2 SDK mods
• Fixed a memory leak on long running servers related to dynamic models
• Fixed client crash related to invalid D3D texture flag
• Fixed hearing teleporter spin sound when carried (community fix from Brandon Little)
• Fixed objects sometimes using the incorrect activity when being placed (community fix from Brandon Little)
• Improved Medi Gun heal target selection to prioritize teammate directly under crosshair when teammates are close together (community fix from wget)
• Improved targetid selection to replicate Medi Gun heal target selection (community fix from wget)
• Added missing Steam Controller inputs for loadout menus (community fix from Ashetf2)
• Fixed 3D HUD using the incorrect animations while holding the PASS Time ball (community fix from gidi30)
• Fixed network state changes for player condition vars (community fix from ficool2)
• Fixed sentry rockets not sending the object_deflected game event when deflected (community fix from The Fatcat)
• Fixed Stat Clocks not drawing correctly in UI using playermodelpanel (community fix from rabscootle)
• Fixed flipped initial pitch/yaw on thirdperson switch (community fix from ficool2)
• Fixed Short Circuit projectile offset ignoring cl_flipviewmodels (community fix from birchish)
• Fixed Dragon's Fury fireballs having incorrect projectile path (community fix from wget)
• Fixed for mismatched cl_flipviewmodels values between client and server (community fix from birchish)
• Fixed cloak and rage meters being mispredicted (community fix from ficool2)
• Fixed prediction issues with Spy watches and cloak (community fix from ficool2)
• Fixed Casual doors player list sometimes using wrong size (community fix from nemmy)
• Fixed missing alpha mask for generator_01 (community fix from BreavyTF2)
• Fixed BuildingRescueLevel proxy overwriting TextureScroll on Rescue Ranger oscilloscope (community fix from Voids29)
• Fixed Botkiller team color bugs (community fix from DiskIntegrity)
• Fixed Scout.NegativeVocalization04 sound not playing because of a typo in the volume
• Renamed sd_marshlands to htf_marshlands (hold the flag) to accurately describe its game mode
• Updated the Festivizer model for The Overdose to fix a problem with the LODs
• Updated the Mann of the Hour to make the hair blend better with the hat and Scout's skin
• Updated/Added some tournament medals
• Updated The Bare Necessities to fix not moving correctly while taunting
• Updated the rigging for The Headliner to fix the pocket and tie stretching during some taunts and default poses
• Updated alpha channel for Hydro water texture to remove inconsistencies
• Updated the Case of the Blues
  • Updated rigging to fix intense stretching during taunt poses
  • Updated materials to look less flat
• Updated the taunt prop for Taunt: Heartbreaker
  • Updated the materials to add ambient occlusion
  • Updated the phong and rim lighting to show albedo tint
  • Updated the materials to add more depth
  • Updated the model to fix missing faces
  • Updated the model to fix stretching on lower LODs
• Updated pl_frontier_final to fix invisible func_detail water near BLU spawn (community fix from ObsoleteGuy)
• Updated cp_frostwatch to fix first point death pit being survivable with ÜberCharges on Stage 1
• Updated cp_manor_event to fix invisible func_detail water near BLU spawn (community fix from ObsoleteGuy)
• Updated koth_demolition
  • Updated map lighting to make it more like a sunset, as well as giving it a more golden color
  • Replaced the models used for the capture point lights with a different one which has better collision and illumination
  • Reworked the capture point platform to give it a stronger design
  • Reworked all the catwalks to give them a more stylized look
  • Reworked the lighting in all the furnace rooms to make them less dark and have a more neutral look
  • Reverted a previous change to the capture point team change steam whistle
  • Removed all ambient_generics near the furnaces and fire pipe
  • Reworked the soundscapes to make them more efficient and work properly
  • Reworked the control room of the crane to give it a better design
  • Reworked some ropes from the crane to give them a better look
  • Fixed some props fading out incorrectly
  • Fixed ships in the 3d skybox casting shadows
  • Fixed cubemaps missing on parts of the map
  • Fixed reflective surfaces not having a cubemap attached to them
  • Added a 128x128 cubemap on the control point so it is more reflective (thanks Zythe)
  • Improved water cubemaps
  • Restructured the spawn platform so players spawn looking at the shortcut, and don't need to pull a U-turn to exit spawn (thanks Lizard of Oz)
  • Improved the visuals on the spawn platform to fit the previous change
  • Fixed a blockbullets allowing players to stand on the exterior side of the helipads (thanks Yazoo)

More...]]> Steam News siosios https://n00bunlimited.net/home/forum/site-news/steam-news/80474-team-fortress-2-update-released https://n00bunlimited.net/home/forum/site-news/ipfire/80473-ipfire-2-29-core-update-200-released Fri, 27 Feb 2026 11:04:09 GMT We are excited for the final release of IPFire 2.29 - Core Update 200. This release ships with Linux kernel 6.18 LTS, an exciting preview of IPFire...
We are excited for the final release of IPFire 2.29 - Core Update 200. This release ships with Linux kernel 6.18 LTS, an exciting preview of IPFire DBL (our new domain blocklist system), numerous package updates, performance improvements, security fixes, and plenty of general awesomeness throughout. As we mark this 200th update milestone, we extend our heartfelt thanks to our community whose continued support makes it all possible — we hope this release reflects the care and dedication we've poured into it.

Help Us Build the DNS Firewall — A Call for Community Support

IPFire DBL, previewed in this release, is the foundation of something much bigger. As we have previously announced, our next major milestone is a fully integrated DNS Firewall — bringing modern, native content filtering to IPFire, making it the only tool your network needs to block advertising, malware, and unwanted content at the DNS layer.

If this is a vision you share, please consider supporting its development with a donation. Every contribution brings us closer to making it a reality.

Kernel 6.18

The IPFire kernel has been rebased on Linux 6.18.7. This new long-term supported release brings various security, performance and stability improvements. This update brings general improvements to network throughput and latency, enhanced packet filtering capabilities, and the latest hardware security mitigations.

Furthermore, the Linux developers have deprecated support for ReiserFS. If your IPFire installation is running on this filesystem, you will have seen a note on the web user interface for some time and you won't be able to install the update. Instead you will have to re-install using IPFire with a supported file system.

IPFire Domain Blocklist - or DBL

Since the infamous Shalla list has been retired, the IPFire web proxy has been in need of a stable source of domains to block if you wish to filter any malware, social networks or adult content from your network. Due to the lack of good sources, and the general desire to provide a solid domain block list to our users, we have now started our own. It is in its baby stages right now and we will have a lot of excitement to share about this in the near future, but for now it will be available in two places:

• URL Filter: You can now use IPFire DBL to block any access through the proxy
• Suricata: With launching IPFire DBL, we are now becoming a Suricata rules provider, too. With the new database, you will be able to block any access to banned sites even more thoroughly by allowing the IPS to perform deep packet inspection on DNS/TLS/HTTP/QUIC connections.

This is currently in an early beta stage and we are happy to receive your feedback and support.

Misc.

• Intrusion Prevention System
  • In the last update, it was introduced that Suricata could store signatures in a pre-compiled cache. That cache grew without bounds and could consume significant disk space. In this update, we back ported a patch so that Suricata will automatically cleanup any unused signatures.
  • The reporter has been updated to include additional information for any alerts using DNS, HTTP, TLS, or QUIC where the hostname and more information will be shown in the alert emails or PDF reports. This will help admins to further investigate any corporate policy violations.
• OpenVPN
  • The client configuration will no longer include the MTU. Instead, it will be pushed by the server so that the admin has the liberty to change it later. Some older clients might not support this change.
  • Likewise, the OTP auth token will be pushed by the server if the client has OTP enabled.
  • The client configuration files will no longer include the CA as it is already included in the PKCS12 container. This caused problems when importing connections using NetworkManager on command line.
• Wireless Access Point
  • Support for 802.11a/g has been re-introduced
  • Unintentionally, hostapd could log a lot of debugging information if debugging was enabled before
  • PSK values that include any special characters will now be accepted
• Unbound, the IPFire DNS Proxy, will now launch one thread per CPU code. Formerly it used to run single-threaded, but we expect quicker response times from launching multiple concurrent threads.
• PPP: IPFire will now only send LCP keep alive packets when there is no traffic. This will slightly save on overhead on DSL and 5G/4G connections.
• UI
  • The DNS page will now consistently show the legend.
• OpenSSL has been update to version 3.6.1 and patches against the following vulnerabilities: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796.
• glibc has been patched against CVE-2026-0861, CVE-2026-0915 and CVE-2025-15281
• Updated packages - and as usual, it is a lot: Apache 2.4.66, bash 5.3p9, BIND 9.20.18, coreutils 9.9, cURL 8.18.0, elinks 0.19.0, glib 2.87.0, GnuPG 2.4.9, GnuTLS 3.8.11, harfbuzz 12.3.0, hwdata 0.403, iana-etc 20251215, intel-microcode 20251111, libarchive 3.8.5, libcap-ng 0.9, libgpg-error 1.58, libidn2 2.3.8, libjpeg 3.1.3, libpcap 1.10.6, libplist 2.7.0, libpng 1.6.53, libtasn1 4.21.0, liburcu 0.15.5, libxcrypt 4.5.1, LVM2 2.03.38, mdadm 4.5, memtest 8.00, meson 1.10.1, newt 0.52.25, ninja 1.13.2, oath-toolkit 2.6.13, OpenVPN 2.6.17, OpenSSL 3.6.1, SQLite 3.51.100, tzdata 2025c, readline 8.3p3, strongSwan 6.0.4, suricata 8.0.3, suricata-reporter 0.6, Rust 1.92.0, Unbound 1.24.2, wireless-regdb 2025.10.07, vim 9.1.2098, xz 5.8.2
• Updated add-ons: alsa 1.2.15.3, ClamAV 1.5.1, dnsdist 2.0.2, fetchmail 6.6.0, gdb 17.1, Git 2.52.0, fort-validator 1.6.7, freeradius 3.2.8, libtpms 0.10.2, opus 1.6.1, postfix 3.10.6, samba 4.23.4, strace 6.18, tmux 3.6a, Tor 0.4.8.21, tshark 4.6.3

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80473-ipfire-2-29-core-update-200-released https://n00bunlimited.net/home/forum/site-news/ipfire/80472-beyond-dns-ipfire-dbl-suricata-close-the-filtering-gap Thu, 19 Feb 2026 15:24:17 GMT
Last week we introduced IPFire DBL—our community-driven domain blocking solution. Today, we're diving into something that sets IPFire apart from DNS-only filtering solutions: the ability to block threats that bypass DNS entirely.

DNS-based blocking solutions like Pi-hole are excellent at what they do: they prevent your devices from resolving malicious domain names. But here's the problem: DNS filtering only works if the malware or threat actually uses your configured DNS resolver.

Increasingly, threats are bypassing DNS filtering altogether:

• Malware using DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) to tunnel queries outside your network
• Applications with hardcoded IP addresses that never touch your DNS resolver
• Fast-flux networks where DNS records change faster than blocklists update

Even when DNS blocking works, you only know a query was blocked - you don't know if a device on your network is already infected and actively trying to communicate with command-and-control servers.

This is where involving the Intrusion Prevention System changes everything.

How IPFire DBL + IPS Works

Suricata is an open-source intrusion detection and prevention system (IDS/IPS) that can inspect network traffic at the packet level. When combined with IPFire DBL, it becomes a powerful multi-protocol filtering engine.

Even when connections are encrypted with TLS or QUIC, there is a critical piece of information sent in plaintext during the handshake: the Server Name Indication (SNI). SNI tells the server which hostname the client wants to connect to - and crucially for us, Suricata can read this before the encryption begins. This means even if malware bypasses your DNS resolver entirely and connects directly to an IP address, if it establishes a TLS or QUIC connection, we can see exactly which domain it is trying to reach.

IPFire DBL + Suricata inspects:

• DNS queries - Traditional DNS traffic on port 53
• Host headers in (unencrypted) HTTP requests
• SNI in TLS/QUIC connections

This multi-protocol approach means there are virtually no loopholes. If a connection uses standard protocols to reach a malicious domain, we catch it.

Suricata Datasets: Efficient at Scale

Suricata implements domain matching using datasets - highly optimised data structures designed for fast lookups against large lists. This is critical because IPFire DBL contains millions of domains across multiple categories.

When a connection is established, Suricata checks the hostname against the relevant datasets in real-time. The performance impact is negligible - Suricata's dataset implementation is specifically built for this kind of high-speed matching. (For more technical details on Suricata datasets, see Suricata's dataset documentation)

What Happens on a Match?

When Suricata detects a connection to a domain in your selected IPFire DBL categories, the connection is immediately dropped, an alert is generated with full details of the blocked connection, and the event is logged for visibility and reporting.

Here's where IPFire's firewall-based approach delivers something DNS-only solutions simply cannot: complete visibility into what's happening on your network.

This isn't just blocking - it is threat intelligence. If you see malware connection attempts from a device on your network, you now know that device may be compromised and needs investigation.

IPFire's recently added PDF reports include detailed information about blocked connections, including the actual hostnames involved. Over time, this builds a picture of threat activity on your network. Which devices are most frequently attempting malicious connections? What types of threats are you seeing? (Malware? Phishing? Tracking?) Are there patterns that suggest a compromised device or insider threat?

Why IPFire Goes Further Than Pi-hole and DNS-Only Solutions

Pi-hole and similar DNS-based blockers are fantastic tools - they are lightweight, effective, and have built vibrant communities. But they're fundamentally limited by what they can see: DNS queries only.

IPFire, as a full firewall solution, sees every packet that traverses your network. This positional advantage enables capabilities that DNS-only solutions simply cannot provide.

This isn't about Pi-hole being inadequate - it is about understanding that firewalls and DNS resolvers solve different problems. Pi-hole is excellent for network-wide ad blocking and basic malware filtering at the DNS layer. IPFire is a security-focused firewall with deep packet inspection capabilities.

If you want comprehensive threat detection, visibility into encrypted traffic, and alerts when devices on your network attempt malicious connections, you need firewall-level inspection. That's what IPFire delivers.

Enabling IPFire DBL in Suricata

If you're running IPFire Core Update 200 (currently in testing), enabling IPFire DBL filtering through Suricata is straightforward.

• Navigate to the IPS page in the Firewall section of your IPFire web interface
• Add IPFire DBL as a rule provider - You'll see IPFire DBL listed as an available rule source
• Select your categories - Choose which IPFire DBL categories you want Suricata to enforce: Malware, Phishing, Advertising, Pornography, Gambling, Games, and more

You may customise the ruleset to only enable some of the protocols, but most users will want to enable all four protocols for maximum coverage.

Apply changes - Suricata will download the latest IPFire DBL rules and begin enforcement.

If you are not running IPFire, I would first of all recommend that you should. But you can still use IPFire DBL as it is described in the How To Use? section on the IPFire DBL website.

The Future of Network Security

IPFire DBL + Suricata represents a fundamental shift in how we think about domain-based filtering. This isn't just about blocking websites - it is about detecting threats, gaining visibility, and protecting your network across every protocol.

DNS filtering has its place, and it is effective for what it does. But as threats evolve and increasingly bypass DNS through encrypted channels, hardcoded IPs, and alternative protocols, we need solutions that evolve with them.

IPFire gives you that evolution: a firewall that sees everything, inspects what matters, and tells you when something is wrong.

Get Started Today

Core Update 200 is in testing now and will be released in the coming weeks. Keep an eye on the update notifications, and be ready to enable this powerful new capability.

This is network security done right. This is IPFire.


More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80472-beyond-dns-ipfire-dbl-suricata-close-the-filtering-gap https://n00bunlimited.net/home/forum/site-news/ipfire/80471-introducing-ipfire-dbl-community-powered-domain-blocking-for-everyone Wed, 11 Feb 2026 13:01:27 GMT We have been working on something for months that addresses a problem we have had for years: IPFire DBL (Domain Blocklist) - a comprehensive,...
We have been working on something for months that addresses a problem we have had for years: IPFire DBL (Domain Blocklist) - a comprehensive, community-driven domain blocking solution that gives you control over what gets blocked in your network.

For years, we have not been happy with what was available on the market - neither free nor commercial solutions give IPFire users what they actually need. The typical approach is one massive blocklist that tries to be everything to everyone. This is wasteful in terms of resources and memory consumption, and worse, it takes the decision-making power away from you.

We also noticed a troubling pattern: many sources aggregate data from various places without having the legal rights to redistribute them under new terms. We wanted to build something with real legal certainty.

IPFire DBL is our answer: give users the power to choose what fits their use case, and give them a way to work together to strengthen these lists over time.

We wanted to do better. So we built IPFire DBL from the ground up to solve these problems. Here's what makes it different:

IPFire DBL Is Built On These Core Principles

Categorization, Not Dictation

Instead of forcing you to accept someone else's blocking decisions, IPFire DBL organises millions of domains into specific categories. Want to block malware and advertising but allow gaming sites? No problem. Need to filter pornography and gambling in an educational environment? You choose exactly what fits your use case.

Currently we have curated the following categories:

• Malware - Block malicious domains before they deliver payloads or establish command-and-control connections
• Phishing - Stop credential theft by blocking fraudulent domains at the network level
• Advertising - Reclaim bandwidth and protect privacy by blocking tracking at the source
• Pornography - Network-wide content filtering across all devices
• Gambling - Prevent access to betting sites and online casinos
• Games - Focus by blocking gaming platforms
• DNS-over-HTTPS - Maintain network visibility and prevent DNS policy bypass
• ...and more

Open Standards - Built for Integration

IPFire DBL is not locked into one format or one way of doing things. We have built it on open standards so you can use it however works best for your setup:

• DNS Response Policy Zones (RPZ) - Industry-standard DNS blocking with full AXFR/IXFR zone transfer support, for instant updates
• Squidguard format - Ready for proxy-based filtering
• Direct HTTPS downloads - Multiple plaintext formats for maximum compatibility
• Adblock Plus format - Standard filter list syntax

Whether you are integrating into enterprise DNS infrastructure or a home network setup, the technical foundation is there.

Performance and Community Engagement

With hourly updates and millions of domains under active curation, IPFire DBL stays current with the ever-changing threat landscape. But what really sets us apart is our community reporting tool.

Found a false positive? Discovered a malicious domain we haven't caught yet? Our online reporting system lets you submit feedback directly, and we can push corrections fast. This is blocking powered by community intelligence.

Coming to IPFire Core Update 200

If you are an IPFire user, you will see IPFire DBL integration in the upcoming Core Update 200 through both the URL Filter and—here's where it gets exciting—Suricata.

We are testing a brand new way to apply domain intelligence through Suricata that will give you unprecedented visibility into your network activity while enforcing your blocking policies. We will be sharing much more about this Suricata integration in a follow-up post next week, but trust us: this is going to open up possibilities we have never had before in IPFire.

Available for Everyone

The code that is driving IPFire DBL is licensed under GPLv3+ and the currently available lists are released under the Creative Commons Attribution-ShareAlike 4.0 (CC BY-SA 4.0) license. This is a community resource, and we want everyone to benefit from it.

Because we have built IPFire DBL on industry-standard formats like RPZ, SquidGuard, and Adblock Plus syntax, you can integrate it into virtually any DNS resolver, firewall, or filtering solution. Whether you are using BIND, Unbound, PowerDNS, Pi-hole, browser extensions, or commercial firewall appliances—if it supports standard filtering formats, it supports IPFire DBL.

New to domain filtering? Check out our How to Use? guide for step-by-step integration instructions for popular DNS resolvers, browser extensions, and network filtering tools.

A Community Effort - and We Need You

This project represents months of development, but it's something the IPFire community has wanted for years. We've built the foundation, and now we need your help to take it further.

However, as an open-source project, we're limited by one crucial resource: time.

To take IPFire DBL to the next level—including features like DNS Response Policy Zones (RPZ) integration in IPFire—we need community support. We are launching a small fundraiser to help us dedicate the development time needed to build these advanced features.

Head over to www.ipfire.org/dbl to start using the lists today - and if IPFire DBL solves a problem for you, if it saves you time, or if you simply believe in community-driven security tools, please consider supporting this effort. Together, we can build something that does not just serve IPFire users - it serves everyone who believes in a safer, more controllable internet.

This is just the beginning - let's see what we can build together.


More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80471-introducing-ipfire-dbl-community-powered-domain-blocking-for-everyone https://n00bunlimited.net/home/forum/site-news/ipfire/80470-ipfire-2-29-core-update-200-is-available-for-testing Fri, 30 Jan 2026 17:31:23 GMT
The IPFire development team is excited to bring you Core Update 200 – a major milestone in the project's history! This release ships with Linux kernel 6.18 LTS, an exciting preview of IPFire DBL (our new domain blocklist system), numerous package updates, performance improvements, security fixes, and plenty of general awesomeness throughout. We're grateful to our community for their continued support in reaching this 200th update, and we hope you enjoy what we've built for you.

Kernel 6.18

The IPFire kernel has been rebased on Linux 6.18.7. This new long-term supported release brings various security, performance and stability improvements. This update brings general improvements to network throughput and latency, enhanced packet filtering capabilities, and the latest hardware security mitigations.

Furthermore, the Linux developers have deprecated support for ReiserFS. If your IPFire installation is running on this filesystem, you will have seen a note on the web user interface for some time and you won't be able to install the update. Instead you will have to re-install using IPFire with a supported file system.

IPFire Domain Blocklist - or DBL

Since the infamous Shalla list has been retired, the IPFire web proxy has been in need of a stable source of domains to block if you wish to filter any malware, social networks or adult content from your network. Due to the lack of good sources, and the general desire to provide a solid domain block list to our users, we have now started our own. It is in its baby stages right now and we will have a lot of excitement to share about this in the near future, but for now it will be available in two places:

• URL Filter: You can now use IPFire DBL to block any access through the proxy
• Suricata: With launching IPFire DBL, we are now becoming a Suricata rules provider, too. With the new database, you will be able to block any access to banned sites even more thoroughly by allowing the IPS to perform deep packet inspection on DNS/TLS/HTTP/QUIC connections.

This is currently in an early beta stage and we are happy to receive your feedback and support.

Misc.

• Intrusion Prevention System
  • In the last update, it was introduced that Suricata could store signatures in a pre-compiled cache. That cache grew without bounds and could consume significant disk space. In this update, we back ported a patch so that Suricata will automatically cleanup any unused signatures.
  • The reporter has been updated to include additional information for any alerts using DNS, HTTP, TLS, or QUIC where the hostname and more information will be shown in the alert emails or PDF reports. This will help admins to further investigate any corporate policy violations.
• OpenVPN:
  • The client configuration will no longer include the MTU. Instead, it will be pushed by the server so that the admin has the liberty to change it later. Some older clients might not support this change.
  • Likewise, the OTP auth token will be pushed by the server if the client has OTP enabled.
  • The client configuration files will no longer include the CA as it is already included in the PKCS12 container. This caused problems when importing connections using NetworkManager on command line.
• Wireless Access Point
  • Support for 802.11a/g has been re-introduced
  • Unintentionally, hostapd could log a lot of debugging information if debugging was enabled before
  • PSK values that include more special characters will now be accepted
• Unbound, the IPFire DNS Proxy, will now launch one thread per CPU code. Formerly it used to run single-threaded, but we expect quicker response times from launching multiple concurrent threads.
• PPP: IPFire will now only send LCP keep alive packets when there is no traffic. This will slightly save on overhead on DSL and 5G/4G connections.
• UI
  • The DNS page will now consistently show the legend.
• OpenSSL has been update to version 3.6.1 and patches against the following vulnerabilities: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796.
• glibc has been patched against CVE-2026-0861, CVE-2026-0915 and CVE-2025-15281
• Updated packages - and as usual, it is a lot: Apache 2.4.66, bash 5.3p9, BIND 9.20.18, coreutils 9.9, cURL 8.18.0, dhcpcd 10.3.0, elinks 0.19.0, glib 2.87.0, GnuPG 2.4.9, GnuTLS 3.8.11, harfbuzz 12.3.0, hwdata 0.403, iana-etc 20251215, intel-microcode 20251111, libarchive 3.8.5, libcap-ng 0.9, libgpg-error 1.58, libidn2 2.3.8, libjpeg 3.1.3, libpcap 1.10.6, libplist 2.7.0, libpng 1.6.53, libtasn1 4.21.0, liburcu 0.15.5, libxcrypt 4.5.1, LVM2 2.03.38, mdadm 4.5, memtest 8.00, meson 1.10.1, newt 0.52.25, ninja 1.13.2, oath-toolkit 2.6.13, OpenVPN 2.6.17, OpenSSL 3.6.1, SQLite 3.51.100, tzdata 2025c, readline 8.3p3, strongSwan 6.0.4, suricata 8.0.3, suricata-reporter 0.6, Rust 1.92.0, Unbound 1.24.2, wireless-regdb 2025.10.07, vim 9.1.2098, xz 5.8.2
• Updated add-ons: alsa 1.2.15.3, ClamAV 1.5.1, dnsdist 2.0.2, fetchmail 6.6.0, gdb 17.1, Git 2.52.0, fort-validator 1.6.7, freeradius 3.2.8, libtpms 0.10.2, opus 1.6.1, postfix 3.10.6, samba 4.23.4, strace 6.18, tmux 3.6a, Tor 0.4.8.21, tshark 4.6.3

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80470-ipfire-2-29-core-update-200-is-available-for-testing https://n00bunlimited.net/home/forum/site-news/ipfire/80469-ipfire-2-29-core-update-199-released Wed, 07 Jan 2026 14:12:40 GMT
This update brings major enhancements to IPFire's networking capabilities. New support for WiFi 7 and WiFi 6 unlocks significantly higher throughput and improved efficiency, while native LLDP/CDP integration offers better visibility in complex environments. A refreshed kernel and extensive package updates further improve stability, performance, and security across the system.

Bringing these new capabilities to IPFire requires significant ongoing development effort and testing infrastructure. If your business benefits from IPFire, please consider supporting the project through a donation. Your contribution directly funds continued innovation and faster delivery of features like those in this release.

Support for WiFi 7 & 6

IPFire now supports WiFi 7 & WiFi 6 for Wireless Access Points. Although the hardware has been supported before, IPFire can now take advantage of the features that these new WiFi standards are bringing. The most notable features are:

• It is now possible to select the preferred WiFi mode, and IPFire will figure out the rest. 802.11be and 802.11ax are joining support for 802.11ac/agn. Channel bandwidths of up to 320 MHz will give you a bandwidth of over 5.7 Gbps for two spacial streams, or even a whopping 11.5 Gbps over four spacial streams. Over the air!
• IPFire will now automatically detect and enable any supported capabilities that the hardware supports. This used to be manually configurable as "HT Capabilities" and "VHT Capabilities". Whereas that used to be a tedious and difficult process, we can now take advantage of all features that your hardware supports for a much more stable and faster WiFi network.
• When using WPA2 or WPA1, IPFire will allow using SHA256 during authentication which will strengthen the handshake for clients that cannot use WPA3.
• By default, IPFire will enabled SSID Protection. If Management Frame Protection (802.11w) is being used, IPFire will automatically enable Beacon Protection and Operating Channel Validation.
• Multicast packets will be converted to unicast packets by default to make more airtime available if the network is mainly hosting modern, fast clients.
• Radar detection will be performed in the background if the hardware supports it.

The web UI has not changed much, but all the magic is happening inside of IPFire so that we can bring you maximum performance and low latency over your wireless network if you are using WiFi. All Lightning Wire Labs products will automatically enable these features.

Link-Local Discovery Protocol (LLDP) & Cisco Discovery Protocol (CDP)

IPFire is introducing native support for LLDP and CDPv2. This protocol allows the firewall to detect any networking devices that it is directly connected to and allows to identify to which switch ports the firewall is being connected. This is especially useful in larger networks and adds more discoverability to monitoring and mapping tools like Observium.

The feature can be enabled and configured over the web UI under Services -> LLDP.

Updated Kernel

The IPFire kernel has been rebased on Linux 6.12.58. This provides various security and stability fixes. Some configuration changes for preemption debugging should yield significant performance improvements on many systems.

Intrusion Prevention System

• Suricata, the software that the IPFire IPS is based on, has been updated to version 8.0.2.
• The new reporting feature sometimes dropped some alerts when the internally used SQLite database has been busy. This problem has been fixed in release 0.5 of the suricata-reporter package.
• The IPS reports will now always be sent at 1 am. Some users have requested to have these reports available when they arrive early at their offices.

OpenVPN Roadwarrior

• In preparation for future OpenVPN releases, if a server is using any legacy ciphers, this will be highlighted to make users aware.
• It is now supported to push multiple DNS and WINS servers to clients.
• The server is now always running in multi home mode. This is required as the firewall usually has multiple interfaces and clients might connect from an internal network and configures the OpenVPN server to always respond with the same IP address that the client has connected to.
• A bug has been fixed which prevented the OpenVPN server from pushing the first custom route that should have been pushed to clients.
• The authenticator will try harder to encourage a client to perform OTP authentication if the client becomes confused during the authentication process.
• The ineffective auth-nocache directive has been removed from the client configuration files

Proxy

• A mitigation for CVE-2025-62168 has been applied to the proxy configuration
• A race condition where the URL Filter process could have been forcibly terminated when it was compiling the databases has been fixed

Web UI

• Firewall: A bug that prevented users from creating new location groups has been resolved
• Hardware Vulnerabilities: A better message is shown if a system does not support SMT
• Mail: Credentials with some special characters won't be mangled any more

Misc.

• The D-Bus daemon is now running by default in IPFire to prepare for some future developments.
• dracut has been replaced by dracut-ng, after the original project has been abandoned by RedHat
• dma: A tool to create local inboxes has been added
• The SSH cipher suite has been aligned with upstream and now prefers AES-GCM over AES-CTR.
• A race-condition where applied firewall rules could have been dropped when another firewall rule was already inserted has been fixed
• Updated packages: coreutils 9.8, c-ares 1.34.5 (CVE-2025-31498), cURL 8.17.0, BIND 9.20.16, boost 1.89.0, btrfs-progs 6.17.1, elfutils 0.194, expat 2.7.3 (CVE-2025-59375, CVE-2024-8176), fmt 12.1.0, FUSE 3.17.4, glib 2.86.0, harfbuzz 12.1.0, hwdata 0.400, iana-etc 20251030, iproute2 6.17.0, kbd 2.9.0, less 685, libarchive 3.8.2, libcap 2.77, libgpg-error 1.56, libxml2 2.15.1, LVM2 2.03.36, nasm 3.00, ninja 1.13.1, OpenLDAP 2.6.10, OpenSSH 10.2p1, OpenSSL 3.6.0, OpenVPN 2.6.16, PCRE2 10.47, p11-kit 0.25.10, pango 1.57.0, protobuf 33.0, Rust 1.85.0, strongSwan 6.0.3, SQLite 3.51.0, Suricata 8.0.2, suricata-reporter 0.5, sysvinit 3.14, udev 258, unbound 1.24.1, usbutils 019, util-linux 2.41.2, vim 9.1.1854, whois 5.6.5, xfsprogs 6.17.0
• Various code cleanups are being shipped with this update, too.

Add-ons

• arpwatch
  • This new add-on has received a bug fix for submitting the correct envelope sender for emails. Some mail servers had rejected those emails.
  • MAC addresses will always be shown as zero-padded
• ffmpeg has been updated to version 8.0
  • It is also linked to OpenSSL and lame again to allow streaming of external sources using HTTPS and mp3.
• Updated packages: ClamAV 1.5.1, dnsdist 2.0.1, fetchmail 6.5.7, ffmpeg 8.0, hostapd f747ae0, libmpdclient 2.23, mpd 0.24.5, mympd 22.1.1, nano 8.7, openvmtools 13.0.5, Samba 4.23.2, shairport-sync 4.3.7, Tor 0.4.8.19, tshark 4.6.1, zabbix_agentd 7.0.21 (LTS)

Support the Future of IPFire

This release brings major advancements such as WiFi 7 support, deeper networking visibility with LLDP/CDP, and substantial performance and security improvements. Delivering features of this scale requires continuous engineering effort, infrastructure, and long-term maintenance. If your organisation relies on IPFire, please consider supporting the project financially. Your contribution helps us accelerate development, improve hardware support, and keep the platform independent and sustainable.

Please support the project right now with your donation.


More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80469-ipfire-2-29-core-update-199-released