n00b Unlimited

n00b Unlimited - Ipfire https://n00bunlimited.net/ News Taken from the IPfire blog en Tue, 12 May 2026 11:17:15 GMT vBulletin 60 https://n00bunlimited.net/images/misc/rss.png n00b Unlimited - Ipfire https://n00bunlimited.net/ IPFire 2.29 - Core Update 202 is available for testing https://n00bunlimited.net/home/forum/site-news/ipfire/80479-ipfire-2-29-core-update-202-is-available-for-testing Mon, 11 May 2026 08:21:15 GMT Today we are proud to present the next challenger stepping into the ring: IPFire 2.29 Core Update 202! In this corner, a brand-new Linux 6.18 kernel....
Today we are proud to present the next challenger stepping into the ring: IPFire 2.29 Core Update 202! In this corner, a brand-new Linux 6.18 kernel. In the other corner, OpenVPN 2.7 with kernel-accelerated Data Channel Offload, delivering up to 10 Gigabit per second per tunnel. Add to that a long list of important security fixes, package updates, and bug fixes - and you have a release that is ready for testing. So power up your test systems, and let's get readyyyy to upgraaaade!

Linux Kernel Security Vulnerabilities

In this release, the IPFire kernel has been rebased on Linux 6.18.28 which most notably fixes a couple of prominent security vulnerabilities:

Dirty Frag — ESP/IPsec (CVE-2026-43284) — A local privilege escalation flaw disclosed on May 7, 2026 in the kernel module providing support for ESP, one of the protocols used for IPsec, allowing an unprivileged local user to escalate to root.
Copy Fail (CVE-2026-31431) — A logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface, disclosed April 29, 2026, that lets any unprivileged local user gain root via a tiny exploit on essentially every distribution shipping kernels built since 2017.

While these vulnerabilities are serious for Linux systems in general, IPFire is by design not exposed to the most common attack paths. Both flaws require an unprivileged local user with shell access to the system, and IPFire does not provide unprivileged shell accounts on the firewall - only the administrator has access to the console, and there are no other users logged in. That said, defence in depth matters, and we always recommend keeping systems up to date regardless of whether a known attack path applies, because the next vulnerability may well take a different shape.

OpenVPN 2.7

IPFire is now shipping OpenVPN 2.7 which has been released earlier this year. Over the last couple of updates, we have already rolled out changes that allow a smooth transition. The highlight of this release is support for Data Channel Offloading (DCO) to the kernel. Instead of passing any packets to the OpenVPN daemon for encryption and decryption, the kernel can encrypt or decrypt packets itself which will massively boost throughput. We have observed throughput to jump from 1 GBit/s to 10 GBit/s per tunnel with reduced jitter and less CPU utilisation due to the kernel's better use of the hardware's crypto acceleration.

Misc.

Firewall: Multiple ports in a comma-separated list are now being applied properly (#13959)
Intrusion Prevention System: The IPS is no longer logging any stats which have used a lot of disk space on some systems. The updater automatically removes any log files freeing the disk space. The remaining log files are now being rotated daily instead of weekly.
The IPFire DNS Proxy is now permitted outbound access without any additional firewall rules
IPsec: Due to a typo in a script, some automatically generated firewall rules were not removed after a tunnel was shut down. This did not have any other implications than a growing table of redundant rules.
In glibc, a crafted DNS response can trick gethostbyaddr/gethostbyaddr_r into treating a non-answer section as a valid answer, violating the DNS spec. The result is an out-of-bounds read and bogus hostnames returned to callers — risky for anything that uses reverse DNS in logging or access decisions (GLIBC-SA-2026-0005).
Updated packages: abseil-cpp 20260107.1, Apache2 2.4.67, autoconf 2.73, BIND 9.20.22, btrfs-progs 6.19.1, cURL 8.20.0, ethtool 7.0, expat 2.8.0, freetype 2.14.3, glib 2.88.1, GnuTLS 3.8.13, groff 1.24.1, harfbuzz 14.2.0, hwdata 0.406, iana-etc 20260409, intel-microcode 20260227, inotify-tools 4.25.9.0, iproute2 7.0.0, ipset 7.24, Knot 3.5.4, libarchive 3.8.7, libcap 2.78, libcap-ng 0.9.3, libedit 20251016-3.1, libgcrypt 1.12.2, libinih 62, libjpeg 3.1.4.1, libpng 1.6.58, libsodium 1.0.22, liburcu 0.15.6, libxml2 2.15.3, lmdb 0.9.35, LVM2 2.03.40, man-pages 6.18, mdadm 4.6, oath-toolkit 2.6.14, OpenSSH 10.3p1, OpenSSL 3.6.2, OpenVPN 2.7.3, pango 1.57.1, parted 3.7, pciutils 3.15.0, python3-yaml 6.0.3, sed 4.10, SQLite 3.53.0, strongSwan 6.0.6, Suricata 8.0.4, systemd 260.1, texinfo 7.3, tzdata 2026b, Unbound 1.25.0, usb-modeswitch-data 20251207, wireguard-tools 1.0.20260223, XZ 5.8.3
IP Blocklist: Links to the BOGON and BOGON_FULL lists have been updated

Add-Ons

Updated packages: arpwatch 3.9, dnsdist 2.0.5, ffmpeg 8.1, FRR 10.6.0, htop 3.5.1, iperf3 3.21, Git 2.54.0, HAProxy 3.2.15, keepalived 2.3.4, libid3tag 0.16.4, libmicrohttpd 1.0.5, libmpc 1.4.1, libpciaccess 0.19, libvirt 12.3.0, lldpd 1.0.21, mympd 25.0.1, nano 9.0, ncat 7.99, nfs 2.9.1, nmap 7.99, Postfix 3.11.1, rsync 3.4.2, Samba 4.24.1, Tor 0.4.9.7, transmission 4.1.1, tshark 4.6.5, Zabbix Agent 7.0.24 (LTS) + Monitoring for D-Bus & LLDP

As always, this update would not be possible without the hard work of the IPFire developers, the wider open-source community whose projects we ship, and everyone who tests, reports bugs, and contributes patches. If you would like to support the continued development of IPFire, please donate - every contribution helps us keep the project independent and moving forward.

Happy testing!

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80479-ipfire-2-29-core-update-202-is-available-for-testing IPFire 2.29 - Core Update 201 released - with DNS Firewall https://n00bunlimited.net/home/forum/site-news/ipfire/80477-ipfire-2-29-core-update-201-released-with-dns-firewall Tue, 28 Apr 2026 08:30:21 GMT
We are pleased to announce the release of IPFire 2.29 — Core Update 201, and with it, the most significant expansion of IPFire's capabilities in years. This release delivers the long-awaited DNS Firewall, a feature that transforms how IPFire protects the networks it sits in front of — along with a major toolchain rebase, a wide range of package updates, and improvements across the entire system.

For many of you, this is the release you have been waiting for. For the rest of you — once you see what it does, it will be.

Hello DNS Firewall

The wait is over. One of the most requested features in IPFire's history is finally here, and it fundamentally changes what your firewall is capable of. The DNS Firewall transforms IPFire from a network gatekeeper into an active threat eliminator — blocking malware, phishing, advertising, and unwanted content before a single byte of malicious data ever touches your network.

For full details, see the DNS Firewall documentation and the DNS Firewall roadmap page.

How it works

Every device on your network resolves domain names through IPFire's DNS proxy. The DNS Firewall sits inside that pipeline and evaluates every query against IPFire DBL — our own curated, continuously updated domain blocklist — before a response ever reaches the client. Blocked domains receive an NXDOMAIN response: to the client, the domain simply does not exist. No connection is attempted, no content is fetched, and no trace of the request leaves your network.

As a first to offer this to a large user-base, blocklist updates are delivered via IXFR — incremental DNS zone transfers directly into the DNS proxy — meaning your lists are refreshed within the hour, automatically, with no manual intervention and minimal bandwidth overhead.

Goodbye URL Filter. Goodbye Pi-hole.

If you have been running the URL Filter, you already understand the frustration: clients need explicit proxy configuration, HTTPS inspection is a minefield, and the entire approach was designed for a web that no longer exists. If you have been running a Pi-hole alongside IPFire to compensate, you have been maintaining a second device, a second software stack, and a second security boundary — all to do something your firewall should have been doing all along.

The DNS Firewall replaces both. It requires no client configuration, no additional hardware, and no compromises. Your firewall is already the single point through which all DNS traffic flows — it has always been the right place for this.

Miscellaneous Improvements

Intrusion Prevention System It is now possible to configure different recipients for daily, weekly, and monthly IDS reports — useful for teams where different people are responsible for different reporting cadences.
RISC-V Arne.F has updated the kernel configuration on the experimental build for RISC-V devices.
Network Installer The installer now allocates more disk space when booting from the network, accommodating the increased size of the ISO download.
Rust Cleanup Stefan Schantl has removed Rust packages that were no longer needed in the distribution, reducing build overhead and attack surface.
Web Proxy Firewall Rules Rules are now created with the --wait flag, preventing race conditions during rule insertion.
Toolchain Update IPFire has been rebased on the latest versions of glibc 2.43 and GNU binutils 2.46.0. These are the fundamental libraries and binary tools that underpin all userspace components inside IPFire. Keeping them current ensures better hardware support, improved security hardening, and a solid foundation for all packages built on top of them.
The following packages have been updated in this release: asciidoctor 2.0.26, BIND 9.20.20, binutils 2.46.0, ccache 4.12.3, conntrack-tools 1.4.9, coreutils 9.10, dejagnu 1.6.3, expat 2.7.4, fuse 3.18.1, gettext 1.0, glibc 2.43, harfbuzz 12.3.2, hwdata 0.404, intel-microcode 20260210, iptables 1.8.12, jansson 2.15.0, krb5 1.22.1, less 692, libgcrypt 1.12.0, libnetfilter_conntrack 1.1.1, libpng 1.6.55, libtalloc 2.4.4, libuv 1.52.0, libxcrypt 4.5.2, m4 1.4.21, ncurses 6.6, OpenVPN 2.6.19, OpenSSL 3.6.1, p11-kit 0.26.2, PAM 1.7.2, procps 4.0.6, Ruby 4.0.1, suricata-reporter 0.7, vim 9.1.2147, wireless-regdb 2026.02.04, xfsprogs 6.18.0, zlib-ng 2.3.3

Add-ons

Wireless Access Point
- The description for the Neighbourhood Scan was previously inverted and has been corrected.
- Adolf Belka has contributed a Dutch translation for this package.
Updated Add-on Packages: ddrescue 1.30, fping 5.5, Git 2.53.0, minicom 2.11, nano 8.7.1, nfs 2.8.5, Postfix 3.10.7, Samba 4.23.5, tshark 4.6.4
The 7zip package has been removed from the add-on collection. The upstream project is no longer maintained, and continuing to ship unmaintained software is not consistent with IPFire's security posture.

This release is the product of years of work — from building IPFire DBL into a category-rich, continuously maintained blocklist, to engineering IXFR-based delivery straight into the DNS proxy, to the countless smaller improvements that make it all tie together. Our thanks go to every developer, tester, and community member who helped get us here, and in particular to those who ran the testing release and sent us the feedback that made this stable release possible.

Please install this update through Pakfire as usual. As with every Core Update, we recommend rebooting after installation to ensure all components are running the new versions.

If you find a problem, please report it on the IPFire community forum or the bug tracker. And if IPFire is useful to you, please consider supporting the project — it is what keeps releases like this one possible.

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80477-ipfire-2-29-core-update-201-released-with-dns-firewall IPFire 2.29 - Core Update 201 is available for testing https://n00bunlimited.net/home/forum/site-news/ipfire/80476-ipfire-2-29-core-update-201-is-available-for-testing Thu, 12 Mar 2026 11:13:02 GMT We are pleased to announce a new testing release of IPFire! It brings you our DNS firewall - a feature that so many of you have been waiting for -...
We are pleased to announce a new testing release of IPFire! It brings you our DNS firewall - a feature that so many of you have been waiting for - together with a large toolchain rebase, a wide range of updated package and the usual bunch of various improvements across the entire system.

Hello DNS Firewall

The wait is over. One of the most requested features in IPFire's history is finally here, and it fundamentally changes what your firewall is capable of. The DNS Firewall transforms IPFire from a network gatekeeper into an active threat eliminator — blocking malware, phishing, advertising, and unwanted content before a single byte of malicious data ever touches your network.

For full details, see the DNS Firewall documentation and the DNS Firewall roadmap page.

How it works

Every device on your network resolves domain names through IPFire's DNS proxy. The DNS Firewall sits inside that pipeline and evaluates every query against IPFire DBL — our own curated, continuously updated domain blocklist — before a response ever reaches the client. Blocked domains receive an NXDOMAIN response: to the client, the domain simply does not exist. No connection is attempted, no content is fetched, and no trace of the request leaves your network.

As a first to offer this to a large user-base, blocklist updates are delivered via IXFR — incremental DNS zone transfers directly into the DNS proxy — meaning your lists are refreshed within the hour, automatically, with no manual intervention and minimal bandwidth overhead.

Goodbye URL Filter. Goodbye Pi-hole.

If you have been running the URL Filter, you already understand the frustration: clients need explicit proxy configuration, HTTPS inspection is a minefield, and the entire approach was designed for a web that no longer exists. If you have been running a Pi-hole alongside IPFire to compensate, you have been maintaining a second device, a second software stack, and a second security boundary — all to do something your firewall should have been doing all along.

The DNS Firewall replaces both. It requires no client configuration, no additional hardware, and no compromises. Your firewall is already the single point through which all DNS traffic flows — it has always been the right place for this.

Miscellaneous Improvements

Intrusion Prevention System It is now possible to configure different recipients for daily, weekly, and monthly IDS reports — useful for teams where different people are responsible for different reporting cadences.
RISC-V Arne.F has updated the kernel configuration on the experimental build for RISC-V devices.
Network Installer The installer now allocates more disk space when booting from the network, accommodating the increased size of the ISO download.
Rust Cleanup Stefan Schantl has removed Rust packages that were no longer needed in the distribution, reducing build overhead and attack surface.
Web Proxy Firewall Rules Rules are now created with the --wait flag, preventing race conditions during rule insertion.
Toolchain Update IPFire has been rebased on the latest versions of glibc 2.43 and GNU binutils 2.46.0. These are the fundamental libraries and binary tools that underpin all userspace components inside IPFire. Keeping them current ensures better hardware support, improved security hardening, and a solid foundation for all packages built on top of them.
The following packages have been updated in this release: asciidoctor 2.0.26, BIND 9.20.20, binutils 2.46.0, ccache 4.12.3, conntrack-tools 1.4.9, coreutils 9.10, dejagnu 1.6.3, expat 2.7.4, fuse 3.18.1, gettext 1.0, glibc 2.43, harfbuzz 12.3.2, hwdata 0.404, intel-microcode 20260210, iptables 1.8.12, jansson 2.15.0, krb5 1.22.1, less 692, libgcrypt 1.12.0, libnetfilter_conntrack 1.1.1, libpng 1.6.55, libtalloc 2.4.4, libuv 1.52.0, libxcrypt 4.5.2, m4 1.4.21, ncurses 6.6, OpenVPN 2.6.19, OpenSSL 3.6.1, p11-kit 0.26.2, PAM 1.7.2, procps 4.0.6, Ruby 4.0.1, suricata-reporter 0.7, vim 9.1.2147, wireless-regdb 2026.02.04, xfsprogs 6.18.0, zlib-ng 2.3.3

Add-ons

Wireless Access Point
- The description for the Neighbourhood Scan was previously inverted and has been corrected.
- Adolf Belka has contributed a Dutch translation for this package.
Updated Add-on Packages: ddrescue 1.30, fping 5.5, Git 2.53.0, minicom 2.11, nano 8.7.1, nfs 2.8.5, Postfix 3.10.7, Samba 4.23.5, tshark 4.6.4
The 7zip package has been removed from the add-on collection. The upstream project is no longer maintained, and continuing to ship unmaintained software is not consistent with IPFire's security posture.

This is a testing release. We encourage all users who are able to run non-production hardware to give it a try and report any issues, particularly around the new DNS Firewall feature. Your feedback at this stage directly shapes the quality of the stable release.

Please report issues on the IPFire community forum or the bug tracker.

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80476-ipfire-2-29-core-update-201-is-available-for-testing IPFire 2.29 - Core Update 200 released https://n00bunlimited.net/home/forum/site-news/ipfire/80473-ipfire-2-29-core-update-200-released Fri, 27 Feb 2026 11:04:09 GMT We are excited for the final release of IPFire 2.29 - Core Update 200. This release ships with Linux kernel 6.18 LTS, an exciting preview of IPFire...
We are excited for the final release of IPFire 2.29 - Core Update 200. This release ships with Linux kernel 6.18 LTS, an exciting preview of IPFire DBL (our new domain blocklist system), numerous package updates, performance improvements, security fixes, and plenty of general awesomeness throughout. As we mark this 200th update milestone, we extend our heartfelt thanks to our community whose continued support makes it all possible — we hope this release reflects the care and dedication we've poured into it.

Help Us Build the DNS Firewall — A Call for Community Support

IPFire DBL, previewed in this release, is the foundation of something much bigger. As we have previously announced, our next major milestone is a fully integrated DNS Firewall — bringing modern, native content filtering to IPFire, making it the only tool your network needs to block advertising, malware, and unwanted content at the DNS layer.

If this is a vision you share, please consider supporting its development with a donation. Every contribution brings us closer to making it a reality.

Kernel 6.18

The IPFire kernel has been rebased on Linux 6.18.7. This new long-term supported release brings various security, performance and stability improvements. This update brings general improvements to network throughput and latency, enhanced packet filtering capabilities, and the latest hardware security mitigations.

Furthermore, the Linux developers have deprecated support for ReiserFS. If your IPFire installation is running on this filesystem, you will have seen a note on the web user interface for some time and you won't be able to install the update. Instead you will have to re-install using IPFire with a supported file system.

IPFire Domain Blocklist - or DBL

Since the infamous Shalla list has been retired, the IPFire web proxy has been in need of a stable source of domains to block if you wish to filter any malware, social networks or adult content from your network. Due to the lack of good sources, and the general desire to provide a solid domain block list to our users, we have now started our own. It is in its baby stages right now and we will have a lot of excitement to share about this in the near future, but for now it will be available in two places:

URL Filter: You can now use IPFire DBL to block any access through the proxy
Suricata: With launching IPFire DBL, we are now becoming a Suricata rules provider, too. With the new database, you will be able to block any access to banned sites even more thoroughly by allowing the IPS to perform deep packet inspection on DNS/TLS/HTTP/QUIC connections.

This is currently in an early beta stage and we are happy to receive your feedback and support.

Misc.

Intrusion Prevention System
- In the last update, it was introduced that Suricata could store signatures in a pre-compiled cache. That cache grew without bounds and could consume significant disk space. In this update, we back ported a patch so that Suricata will automatically cleanup any unused signatures.
- The reporter has been updated to include additional information for any alerts using DNS, HTTP, TLS, or QUIC where the hostname and more information will be shown in the alert emails or PDF reports. This will help admins to further investigate any corporate policy violations.
OpenVPN
- The client configuration will no longer include the MTU. Instead, it will be pushed by the server so that the admin has the liberty to change it later. Some older clients might not support this change.
- Likewise, the OTP auth token will be pushed by the server if the client has OTP enabled.
- The client configuration files will no longer include the CA as it is already included in the PKCS12 container. This caused problems when importing connections using NetworkManager on command line.
Wireless Access Point
- Support for 802.11a/g has been re-introduced
- Unintentionally, hostapd could log a lot of debugging information if debugging was enabled before
- PSK values that include any special characters will now be accepted
Unbound, the IPFire DNS Proxy, will now launch one thread per CPU code. Formerly it used to run single-threaded, but we expect quicker response times from launching multiple concurrent threads.
PPP: IPFire will now only send LCP keep alive packets when there is no traffic. This will slightly save on overhead on DSL and 5G/4G connections.
UI
- The DNS page will now consistently show the legend.
OpenSSL has been update to version 3.6.1 and patches against the following vulnerabilities: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796.
glibc has been patched against CVE-2026-0861, CVE-2026-0915 and CVE-2025-15281
Updated packages - and as usual, it is a lot: Apache 2.4.66, bash 5.3p9, BIND 9.20.18, coreutils 9.9, cURL 8.18.0, elinks 0.19.0, glib 2.87.0, GnuPG 2.4.9, GnuTLS 3.8.11, harfbuzz 12.3.0, hwdata 0.403, iana-etc 20251215, intel-microcode 20251111, libarchive 3.8.5, libcap-ng 0.9, libgpg-error 1.58, libidn2 2.3.8, libjpeg 3.1.3, libpcap 1.10.6, libplist 2.7.0, libpng 1.6.53, libtasn1 4.21.0, liburcu 0.15.5, libxcrypt 4.5.1, LVM2 2.03.38, mdadm 4.5, memtest 8.00, meson 1.10.1, newt 0.52.25, ninja 1.13.2, oath-toolkit 2.6.13, OpenVPN 2.6.17, OpenSSL 3.6.1, SQLite 3.51.100, tzdata 2025c, readline 8.3p3, strongSwan 6.0.4, suricata 8.0.3, suricata-reporter 0.6, Rust 1.92.0, Unbound 1.24.2, wireless-regdb 2025.10.07, vim 9.1.2098, xz 5.8.2
Updated add-ons: alsa 1.2.15.3, ClamAV 1.5.1, dnsdist 2.0.2, fetchmail 6.6.0, gdb 17.1, Git 2.52.0, fort-validator 1.6.7, freeradius 3.2.8, libtpms 0.10.2, opus 1.6.1, postfix 3.10.6, samba 4.23.4, strace 6.18, tmux 3.6a, Tor 0.4.8.21, tshark 4.6.3

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80473-ipfire-2-29-core-update-200-released Beyond DNS: IPFire DBL + Suricata Close the Filtering Gap https://n00bunlimited.net/home/forum/site-news/ipfire/80472-beyond-dns-ipfire-dbl-suricata-close-the-filtering-gap Thu, 19 Feb 2026 15:24:17 GMT
Last week we introduced IPFire DBL—our community-driven domain blocking solution. Today, we're diving into something that sets IPFire apart from DNS-only filtering solutions: the ability to block threats that bypass DNS entirely.

DNS-based blocking solutions like Pi-hole are excellent at what they do: they prevent your devices from resolving malicious domain names. But here's the problem: DNS filtering only works if the malware or threat actually uses your configured DNS resolver.

Increasingly, threats are bypassing DNS filtering altogether:

Malware using DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) to tunnel queries outside your network
Applications with hardcoded IP addresses that never touch your DNS resolver
Fast-flux networks where DNS records change faster than blocklists update

Even when DNS blocking works, you only know a query was blocked - you don't know if a device on your network is already infected and actively trying to communicate with command-and-control servers.

This is where involving the Intrusion Prevention System changes everything.

How IPFire DBL + IPS Works

Suricata is an open-source intrusion detection and prevention system (IDS/IPS) that can inspect network traffic at the packet level. When combined with IPFire DBL, it becomes a powerful multi-protocol filtering engine.

Even when connections are encrypted with TLS or QUIC, there is a critical piece of information sent in plaintext during the handshake: the Server Name Indication (SNI). SNI tells the server which hostname the client wants to connect to - and crucially for us, Suricata can read this before the encryption begins. This means even if malware bypasses your DNS resolver entirely and connects directly to an IP address, if it establishes a TLS or QUIC connection, we can see exactly which domain it is trying to reach.

IPFire DBL + Suricata inspects:

DNS queries - Traditional DNS traffic on port 53
Host headers in (unencrypted) HTTP requests
SNI in TLS/QUIC connections

This multi-protocol approach means there are virtually no loopholes. If a connection uses standard protocols to reach a malicious domain, we catch it.

Suricata Datasets: Efficient at Scale

Suricata implements domain matching using datasets - highly optimised data structures designed for fast lookups against large lists. This is critical because IPFire DBL contains millions of domains across multiple categories.

When a connection is established, Suricata checks the hostname against the relevant datasets in real-time. The performance impact is negligible - Suricata's dataset implementation is specifically built for this kind of high-speed matching. (For more technical details on Suricata datasets, see Suricata's dataset documentation)

What Happens on a Match?

When Suricata detects a connection to a domain in your selected IPFire DBL categories, the connection is immediately dropped, an alert is generated with full details of the blocked connection, and the event is logged for visibility and reporting.

Here's where IPFire's firewall-based approach delivers something DNS-only solutions simply cannot: complete visibility into what's happening on your network.

This isn't just blocking - it is threat intelligence. If you see malware connection attempts from a device on your network, you now know that device may be compromised and needs investigation.

IPFire's recently added PDF reports include detailed information about blocked connections, including the actual hostnames involved. Over time, this builds a picture of threat activity on your network. Which devices are most frequently attempting malicious connections? What types of threats are you seeing? (Malware? Phishing? Tracking?) Are there patterns that suggest a compromised device or insider threat?

Why IPFire Goes Further Than Pi-hole and DNS-Only Solutions

Pi-hole and similar DNS-based blockers are fantastic tools - they are lightweight, effective, and have built vibrant communities. But they're fundamentally limited by what they can see: DNS queries only.

IPFire, as a full firewall solution, sees every packet that traverses your network. This positional advantage enables capabilities that DNS-only solutions simply cannot provide.

This isn't about Pi-hole being inadequate - it is about understanding that firewalls and DNS resolvers solve different problems. Pi-hole is excellent for network-wide ad blocking and basic malware filtering at the DNS layer. IPFire is a security-focused firewall with deep packet inspection capabilities.

If you want comprehensive threat detection, visibility into encrypted traffic, and alerts when devices on your network attempt malicious connections, you need firewall-level inspection. That's what IPFire delivers.

Enabling IPFire DBL in Suricata

If you're running IPFire Core Update 200 (currently in testing), enabling IPFire DBL filtering through Suricata is straightforward.

Navigate to the IPS page in the Firewall section of your IPFire web interface
Add IPFire DBL as a rule provider - You'll see IPFire DBL listed as an available rule source
Select your categories - Choose which IPFire DBL categories you want Suricata to enforce: Malware, Phishing, Advertising, Pornography, Gambling, Games, and more

You may customise the ruleset to only enable some of the protocols, but most users will want to enable all four protocols for maximum coverage.

Apply changes - Suricata will download the latest IPFire DBL rules and begin enforcement.

If you are not running IPFire, I would first of all recommend that you should. But you can still use IPFire DBL as it is described in the How To Use? section on the IPFire DBL website.

The Future of Network Security

IPFire DBL + Suricata represents a fundamental shift in how we think about domain-based filtering. This isn't just about blocking websites - it is about detecting threats, gaining visibility, and protecting your network across every protocol.

DNS filtering has its place, and it is effective for what it does. But as threats evolve and increasingly bypass DNS through encrypted channels, hardcoded IPs, and alternative protocols, we need solutions that evolve with them.

IPFire gives you that evolution: a firewall that sees everything, inspects what matters, and tells you when something is wrong.

Get Started Today

Core Update 200 is in testing now and will be released in the coming weeks. Keep an eye on the update notifications, and be ready to enable this powerful new capability.

This is network security done right. This is IPFire.

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80472-beyond-dns-ipfire-dbl-suricata-close-the-filtering-gap Introducing IPFire DBL: Community-Powered Domain Blocking for Everyone https://n00bunlimited.net/home/forum/site-news/ipfire/80471-introducing-ipfire-dbl-community-powered-domain-blocking-for-everyone Wed, 11 Feb 2026 13:01:27 GMT We have been working on something for months that addresses a problem we have had for years: IPFire DBL (Domain Blocklist) - a comprehensive,...
We have been working on something for months that addresses a problem we have had for years: IPFire DBL (Domain Blocklist) - a comprehensive, community-driven domain blocking solution that gives you control over what gets blocked in your network.

For years, we have not been happy with what was available on the market - neither free nor commercial solutions give IPFire users what they actually need. The typical approach is one massive blocklist that tries to be everything to everyone. This is wasteful in terms of resources and memory consumption, and worse, it takes the decision-making power away from you.

We also noticed a troubling pattern: many sources aggregate data from various places without having the legal rights to redistribute them under new terms. We wanted to build something with real legal certainty.

IPFire DBL is our answer: give users the power to choose what fits their use case, and give them a way to work together to strengthen these lists over time.

We wanted to do better. So we built IPFire DBL from the ground up to solve these problems. Here's what makes it different:

IPFire DBL Is Built On These Core Principles

Categorization, Not Dictation

Instead of forcing you to accept someone else's blocking decisions, IPFire DBL organises millions of domains into specific categories. Want to block malware and advertising but allow gaming sites? No problem. Need to filter pornography and gambling in an educational environment? You choose exactly what fits your use case.

Currently we have curated the following categories:

Malware - Block malicious domains before they deliver payloads or establish command-and-control connections
Phishing - Stop credential theft by blocking fraudulent domains at the network level
Advertising - Reclaim bandwidth and protect privacy by blocking tracking at the source
Pornography - Network-wide content filtering across all devices
Gambling - Prevent access to betting sites and online casinos
Games - Focus by blocking gaming platforms
DNS-over-HTTPS - Maintain network visibility and prevent DNS policy bypass
...and more

Open Standards - Built for Integration

IPFire DBL is not locked into one format or one way of doing things. We have built it on open standards so you can use it however works best for your setup:

DNS Response Policy Zones (RPZ) - Industry-standard DNS blocking with full AXFR/IXFR zone transfer support, for instant updates
Squidguard format - Ready for proxy-based filtering
Direct HTTPS downloads - Multiple plaintext formats for maximum compatibility
Adblock Plus format - Standard filter list syntax

Whether you are integrating into enterprise DNS infrastructure or a home network setup, the technical foundation is there.

Performance and Community Engagement

With hourly updates and millions of domains under active curation, IPFire DBL stays current with the ever-changing threat landscape. But what really sets us apart is our community reporting tool.

Found a false positive? Discovered a malicious domain we haven't caught yet? Our online reporting system lets you submit feedback directly, and we can push corrections fast. This is blocking powered by community intelligence.

Coming to IPFire Core Update 200

If you are an IPFire user, you will see IPFire DBL integration in the upcoming Core Update 200 through both the URL Filter and—here's where it gets exciting—Suricata.

We are testing a brand new way to apply domain intelligence through Suricata that will give you unprecedented visibility into your network activity while enforcing your blocking policies. We will be sharing much more about this Suricata integration in a follow-up post next week, but trust us: this is going to open up possibilities we have never had before in IPFire.

Available for Everyone

The code that is driving IPFire DBL is licensed under GPLv3+ and the currently available lists are released under the Creative Commons Attribution-ShareAlike 4.0 (CC BY-SA 4.0) license. This is a community resource, and we want everyone to benefit from it.

Because we have built IPFire DBL on industry-standard formats like RPZ, SquidGuard, and Adblock Plus syntax, you can integrate it into virtually any DNS resolver, firewall, or filtering solution. Whether you are using BIND, Unbound, PowerDNS, Pi-hole, browser extensions, or commercial firewall appliances—if it supports standard filtering formats, it supports IPFire DBL.

New to domain filtering? Check out our How to Use? guide for step-by-step integration instructions for popular DNS resolvers, browser extensions, and network filtering tools.

A Community Effort - and We Need You

This project represents months of development, but it's something the IPFire community has wanted for years. We've built the foundation, and now we need your help to take it further.

However, as an open-source project, we're limited by one crucial resource: time.

To take IPFire DBL to the next level—including features like DNS Response Policy Zones (RPZ) integration in IPFire—we need community support. We are launching a small fundraiser to help us dedicate the development time needed to build these advanced features.

Head over to www.ipfire.org/dbl to start using the lists today - and if IPFire DBL solves a problem for you, if it saves you time, or if you simply believe in community-driven security tools, please consider supporting this effort. Together, we can build something that does not just serve IPFire users - it serves everyone who believes in a safer, more controllable internet.

This is just the beginning - let's see what we can build together.

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80471-introducing-ipfire-dbl-community-powered-domain-blocking-for-everyone