n00b Unlimited

n00b Unlimited - Ipfire https://n00bunlimited.net/ News Taken from the IPfire blog en Sat, 27 Jun 2026 00:31:49 GMT vBulletin 60 https://n00bunlimited.net/images/misc/rss.png n00b Unlimited - Ipfire https://n00bunlimited.net/ IPFire 2.29 - Core Update 203 is available for testing https://n00bunlimited.net/home/forum/site-news/ipfire/80483-ipfire-2-29-core-update-203-is-available-for-testing Wed, 10 Jun 2026 09:40:21 GMT
This is the release announcement for IPFire 2.29 – Core Update 203, which is now available for testing.

This is a substantial update, and its centrepiece is a fundamental change to how IPFire handles DNS: we have replaced Unbound with Knot Resolver, giving us a more flexible foundation and a range of new capabilities, from a DNS Firewall to encrypted upstream forwarding. Alongside it, the WiFi access point gains support for the 6 GHz band, and there are the usual security fixes and package updates throughout. Because these changes reach into a core part of the system, we would especially value your help in testing this release before it reaches everyone.

DNS: Moving from Unbound to Knot Resolver

With this release, IPFire replaces its DNS Resolver with Knot Resolver.

This is a significant change under the hood, and not one we made lightly. Unbound has served IPFire well for many years and remains an excellent resolver. But DNS has quietly become one of the most important parts of the modern network. It is no longer only about turning names into addresses — it increasingly carries the information other protocols rely on to connect quickly, securely and privately, from encrypted transport to the records clients use to establish encrypted connections. To keep building on top of DNS, we needed a resolver we can extend and integrate deeply with the rest of IPFire. Knot Resolver's modular, scriptable architecture gives us exactly that foundation.

What this brings you today:

Encrypted upstream forwarding (DNS over TLS) — queries to your chosen upstream resolvers can now be sent over TLS, so they can't be read or tampered with in transit.
DNS Firewall — block malware, advertising and whole categories of unwanted domains at the DNS layer.
Encrypted zone data (over TLS) — the DNS Firewall's filtering and policy zones are now pulled over an encrypted connection by zone-sync, a new tool we built in C. Updates are transferred incrementally and can no longer be read or tampered with in transit.
SafeSearch — enforce safe search across the major search engines and YouTube for your whole network.
Conditional forwarding — send queries for specific zones to specific servers. (Note the change below.)
Local overrides — define your own DNS records for local hostnames.
DHCP integration — a custom module makes hostnames from DHCP leases resolvable in DNS, replacing the old Unbound DHCP Leases Bridge with no loss of function.

Under the hood:

Persistent Cache — the cache now survives restarts, so resolution stays fast after a reboot and there's less load on upstream servers.
Shared state across multiple workers — Knot Resolver uses several worker processes that share one cache and state, making efficient use of multiple CPU cores without fragmenting the cache.

Please note:

Forwarded zones can no longer be specified as fully-qualified domain names. You now need to replace any entries on the DNS Forwarding page that use FQDNs with IP addresses.

A note on what went into this release: Replacing the DNS resolver is a large piece of work we have undertaken, and it was far from a drop-in replacement. Alongside integrating Knot Resolver itself, we wrote a good deal of new code — including custom modules for DHCP and filtering, and zone-sync, a tool we built in C to keep the DNS Firewall's data current over an encrypted connection. Work like this is slow, detailed and largely invisible, and it is only possible because IPFire is supported by the people who rely on it. If this release is useful to you and you would like to see more of it, please consider making a donation — it is what lets us keep building.

WiFi: Support for the 6 GHz Band

The IPFire WiFi access point now supports the 6 GHz band, opening up the spectrum introduced with WiFi 6E and WiFi 7.

Why this matters:

More room, less interference — the 6 GHz band is new and largely empty. Without decades of legacy devices crowding it, wireless clients get cleaner airtime and more stable connections, even in busy neighbourhoods.
Wider channels, higher throughput — the additional spectrum leaves room for many more wide (80 and 160 MHz) channels, so you can run faster connections without them overlapping and interfering with one another.
No radar detection, no interruptions — unlike parts of the 5 GHz band, the 6 GHz band does not require radar detection (DFS). The access point starts up immediately and can never be forced off its channel by a radar event, so there are no sudden dropouts.

We have also fixed a bug that prevented the access point from starting when a 40 MHz channel width was combined with a manually selected channel.

Misc.

AWS: IPFire can now retrieve EC2 instance metadata using IMDSv2, the token-based and more secure version of the metadata service that AWS now recommends and increasingly enforces by default. This means IPFire runs correctly on instances configured to require IMDSv2, while IMDSv1 remains supported for existing deployments.
The microcode for some Intel processors has been updated to version 20260512 to address a vulnerability filed as INTEL-SA-01420
A bug with Perl failing to properly encode/decode UTF-8 strings has been fixed so that the web UI will show translations with non-ASCII characters properly again
OpenVPN: The icon to download the configuration has been replaced by a clearer version; and for Roadwarrior clients with a static IP address allocation, the name of the subnet is now shown next to the connection.
sysklogd will now listen on localhost again, which is useful for chrooted processes that want to log messages
Updated packages: BIND 9.20.23, Boost 1.90.0, coreutils 9.11, btrfs-progs 7.0, e2fsprogs 1.47.4, elfutils 0.195, expat 2.8.1, fcron 3.4.1, fontconfig 2.18.1, gdb 17.2, gnupg 2.5.20, GRUB 2.14, grub-btrfs 4.14, iana-etc 20260511, krb5 1.22.2, less 702, libedit 20260512-3.1, libksba 1.8.0, libloc 0.9.19, libunistring 1.4.2, libusb 1.0.30, LuaJIT 2.1.707c12b, LVM2 2.03.41, meson 1.11.1, nettle 4.0, OpenVPN 2.7.4, rrdtool 1.10.3, SQLite 3.53.1, strongswan 6.0.7 (CVE-2026-47895), util-linux 2.42, vim 9.2.0526, which 2.25, xfsprogs 7.0.1, zone-sync 0.0.2

Add-Ons

Updated packages: dnsdist 2.0.6, ntfs-3g 2026.2.25, Postfix 3.11.3, rsync 3.4.3, samba 4.24.2, spice 0.16.0, spice-protocol 0.14.5, tmux 3.6b, tshark 4.6.6
Zabbix Agent: Fixes for OpenVPN 2.7 status parsing and ping error handling have been applied

Testing and Feedback

As always, please help us make this release as solid as it can be. If you are able, install Core Update 203 on a test system, put it through its paces — particularly around DNS resolution, the DNS Firewall and WiFi — and report anything unexpected on our bug tracker.

Your testing and your reports are what let us release with confidence, and we are grateful to everyone who takes the time.

Thank you for helping us build IPFire.

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80483-ipfire-2-29-core-update-203-is-available-for-testing IPFire 2.29 - Core Update 202 released https://n00bunlimited.net/home/forum/site-news/ipfire/80482-ipfire-2-29-core-update-202-released Tue, 26 May 2026 14:04:47 GMT In this release, IPFire 2.29 - Core Update 202, we are fixing the most prominent kernel vulnerabilities of the last few weeks. OpenVPN has been...
In this release, IPFire 2.29 - Core Update 202, we are fixing the most prominent kernel vulnerabilities of the last few weeks. OpenVPN has been updated to version 2.7 which brings support for Data Channel Offloading massively upgrading throughput for your OpenVPN tunnels. As usual, this release contains a large number of package updates with various more security fixes.

We would like to encourage to install this update as soon as possible to be protected against the unusually large amount of vulnerabilities that have been discovered recently in the Linux kernel as well as lots of other software components. Ensure to reboot your IPFire system afterwards.

Linux Kernel Security Vulnerabilities

In this release, the IPFire kernel has been rebased on Linux 6.18.32 which most notably fixes a couple of prominent security vulnerabilities:

Dirty Frag — ESP/IPsec (CVE-2026-43284) — A local privilege escalation flaw disclosed on May 7, 2026 in the kernel module providing support for ESP, one of the protocols used for IPsec, allowing an unprivileged local user to escalate to root.
Copy Fail (CVE-2026-31431) — A logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface, disclosed April 29, 2026, that lets any unprivileged local user gain root via a tiny exploit on essentially every distribution shipping kernels built since 2017.

While these vulnerabilities are serious for Linux systems in general, IPFire is by design not exposed to the most common attack paths. Both flaws require an unprivileged local user with shell access to the system, and IPFire does not provide unprivileged shell accounts on the firewall - only the administrator has access to the console, and there are no other users logged in. That said, defence in depth matters, and we always recommend keeping systems up to date regardless of whether a known attack path applies, because the next vulnerability may well take a different shape.

OpenVPN 2.7

IPFire is now shipping OpenVPN 2.7 which has been released earlier this year. Over the last couple of updates, we have already rolled out changes that allow a smooth transition. The highlight of this release is support for Data Channel Offloading (DCO) to the kernel. Instead of passing any packets to the OpenVPN daemon for encryption and decryption, the kernel can encrypt or decrypt packets itself which will massively boost throughput. We have observed throughput to jump from 1 GBit/s to 10 GBit/s per tunnel with reduced jitter and less CPU utilisation due to the kernel's better use of the hardware's crypto acceleration.

Misc.

Firewall: Multiple ports in a comma-separated list are now being applied properly (#13959)
Intrusion Prevention System: The IPS is no longer logging any stats which have used a lot of disk space on some systems. The updater automatically removes any log files freeing the disk space. The remaining log files are now being rotated daily instead of weekly.
The IPFire DNS Proxy is now permitted outbound access without any additional firewall rules
IPsec: Due to a typo in a script, some automatically generated firewall rules were not removed after a tunnel was shut down. This did not have any other implications than a growing table of redundant rules.
In glibc, a crafted DNS response can trick gethostbyaddr/gethostbyaddr_r into treating a non-answer section as a valid answer, violating the DNS spec. The result is an out-of-bounds read and bogus hostnames returned to callers — risky for anything that uses reverse DNS in logging or access decisions (GLIBC-SA-2026-0005).
Updated packages: abseil-cpp 20260107.1, Apache2 2.4.67, autoconf 2.73, BIND 9.20.22, btrfs-progs 6.19.1, cURL 8.20.0, ethtool 7.0, expat 2.8.0, freetype 2.14.3, glib 2.88.1, GnuTLS 3.8.13, groff 1.24.1, harfbuzz 14.2.0, hwdata 0.406, iana-etc 20260409, intel-microcode 20260227, inotify-tools 4.25.9.0, iproute2 7.0.0, ipset 7.24, Knot 3.5.4, libarchive 3.8.7, libcap 2.78, libcap-ng 0.9.3, libedit 20251016-3.1, libgcrypt 1.12.2, libinih 62, libjpeg 3.1.4.1, libpng 1.6.58, libsodium 1.0.22, liburcu 0.15.6, libxml2 2.15.3, lmdb 0.9.35, LVM2 2.03.40, man-pages 6.18, mdadm 4.6, oath-toolkit 2.6.14, OpenSSH 10.3p1, OpenSSL 3.6.2, OpenVPN 2.7.3, pango 1.57.1, parted 3.7, pciutils 3.15.0, python3-yaml 6.0.3, sed 4.10, SQLite 3.53.0, strongSwan 6.0.6, Suricata 8.0.5, systemd 260.1, texinfo 7.3, tzdata 2026b, Unbound 1.25.1, usb-modeswitch-data 20251207, wireguard-tools 1.0.20260223, XZ 5.8.3
IP Blocklist: Links to the BOGON and BOGON_FULL lists have been updated

Add-Ons

Samba: A security researcher working under the pseudonym valent1 has reported two security vulnerabilities in this add-on which are patched in this release:
- Missing input validation during the join operation allowed authenticated attackers to run arbitrary shell commands as a non-privileged user (CVE pending)
- Inappropriate shell command escaping allowed attackers to gain root privileges from a shell using the sambactrl helper binary (CVE pending)
Who Is Online? valent1 reported a now fixed XSS vulnerability for authenticated users (CVE pending)
Updated packages: arpwatch 3.9, dnsdist 2.0.5, ffmpeg 8.1, FRR 10.6.0, htop 3.5.1, iperf3 3.21, Git 2.54.0, HAProxy 3.2.15, keepalived 2.3.4, libid3tag 0.16.4, libmicrohttpd 1.0.5, libmpc 1.4.1, libpciaccess 0.19, libvirt 12.3.0, lldpd 1.0.21, mympd 25.0.1, nano 9.0, ncat 7.99, nfs 2.9.1, nmap 7.99, Postfix 3.11.1, rsync 3.4.2, Samba 4.24.1, Tor 0.4.9.7, transmission 4.1.1, tshark 4.6.5, Zabbix Agent 7.0.24 (LTS) + Monitoring for D-Bus & LLDP

We want to urge you to upgrade your systems, so you aren't vulnerable to the Dirty Frag, Copy Fail, Fragnesia vulnerabilities. Thanks to everyone for giving feedback for the testing release and reporting any problems to Bugzilla.

If you would like to thank the developers & support their work, please donate, to keep the project moving fast!

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80482-ipfire-2-29-core-update-202-released IPFire 2.29 - Core Update 202 is available for testing https://n00bunlimited.net/home/forum/site-news/ipfire/80479-ipfire-2-29-core-update-202-is-available-for-testing Mon, 11 May 2026 08:21:15 GMT Today we are proud to present the next challenger stepping into the ring: IPFire 2.29 Core Update 202! In this corner, a brand-new Linux 6.18 kernel....
Today we are proud to present the next challenger stepping into the ring: IPFire 2.29 Core Update 202! In this corner, a brand-new Linux 6.18 kernel. In the other corner, OpenVPN 2.7 with kernel-accelerated Data Channel Offload, delivering up to 10 Gigabit per second per tunnel. Add to that a long list of important security fixes, package updates, and bug fixes - and you have a release that is ready for testing. So power up your test systems, and let's get readyyyy to upgraaaade!

Linux Kernel Security Vulnerabilities

In this release, the IPFire kernel has been rebased on Linux 6.18.28 which most notably fixes a couple of prominent security vulnerabilities:

Dirty Frag — ESP/IPsec (CVE-2026-43284) — A local privilege escalation flaw disclosed on May 7, 2026 in the kernel module providing support for ESP, one of the protocols used for IPsec, allowing an unprivileged local user to escalate to root.
Copy Fail (CVE-2026-31431) — A logic flaw in the Linux kernel's cryptographic subsystem, specifically within the algif_aead module of the AF_ALG interface, disclosed April 29, 2026, that lets any unprivileged local user gain root via a tiny exploit on essentially every distribution shipping kernels built since 2017.

Firewall: Multiple ports in a comma-separated list are now being applied properly (#13959)
Intrusion Prevention System: The IPS is no longer logging any stats which have used a lot of disk space on some systems. The updater automatically removes any log files freeing the disk space. The remaining log files are now being rotated daily instead of weekly.
The IPFire DNS Proxy is now permitted outbound access without any additional firewall rules
IPsec: Due to a typo in a script, some automatically generated firewall rules were not removed after a tunnel was shut down. This did not have any other implications than a growing table of redundant rules.
In glibc, a crafted DNS response can trick gethostbyaddr/gethostbyaddr_r into treating a non-answer section as a valid answer, violating the DNS spec. The result is an out-of-bounds read and bogus hostnames returned to callers — risky for anything that uses reverse DNS in logging or access decisions (GLIBC-SA-2026-0005).
Updated packages: abseil-cpp 20260107.1, Apache2 2.4.67, autoconf 2.73, BIND 9.20.22, btrfs-progs 6.19.1, cURL 8.20.0, ethtool 7.0, expat 2.8.0, freetype 2.14.3, glib 2.88.1, GnuTLS 3.8.13, groff 1.24.1, harfbuzz 14.2.0, hwdata 0.406, iana-etc 20260409, intel-microcode 20260227, inotify-tools 4.25.9.0, iproute2 7.0.0, ipset 7.24, Knot 3.5.4, libarchive 3.8.7, libcap 2.78, libcap-ng 0.9.3, libedit 20251016-3.1, libgcrypt 1.12.2, libinih 62, libjpeg 3.1.4.1, libpng 1.6.58, libsodium 1.0.22, liburcu 0.15.6, libxml2 2.15.3, lmdb 0.9.35, LVM2 2.03.40, man-pages 6.18, mdadm 4.6, oath-toolkit 2.6.14, OpenSSH 10.3p1, OpenSSL 3.6.2, OpenVPN 2.7.3, pango 1.57.1, parted 3.7, pciutils 3.15.0, python3-yaml 6.0.3, sed 4.10, SQLite 3.53.0, strongSwan 6.0.6, Suricata 8.0.4, systemd 260.1, texinfo 7.3, tzdata 2026b, Unbound 1.25.0, usb-modeswitch-data 20251207, wireguard-tools 1.0.20260223, XZ 5.8.3
IP Blocklist: Links to the BOGON and BOGON_FULL lists have been updated

Add-Ons

Updated packages: arpwatch 3.9, dnsdist 2.0.5, ffmpeg 8.1, FRR 10.6.0, htop 3.5.1, iperf3 3.21, Git 2.54.0, HAProxy 3.2.15, keepalived 2.3.4, libid3tag 0.16.4, libmicrohttpd 1.0.5, libmpc 1.4.1, libpciaccess 0.19, libvirt 12.3.0, lldpd 1.0.21, mympd 25.0.1, nano 9.0, ncat 7.99, nfs 2.9.1, nmap 7.99, Postfix 3.11.1, rsync 3.4.2, Samba 4.24.1, Tor 0.4.9.7, transmission 4.1.1, tshark 4.6.5, Zabbix Agent 7.0.24 (LTS) + Monitoring for D-Bus & LLDP

As always, this update would not be possible without the hard work of the IPFire developers, the wider open-source community whose projects we ship, and everyone who tests, reports bugs, and contributes patches. If you would like to support the continued development of IPFire, please donate - every contribution helps us keep the project independent and moving forward.

Happy testing!

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80479-ipfire-2-29-core-update-202-is-available-for-testing IPFire 2.29 - Core Update 201 released - with DNS Firewall https://n00bunlimited.net/home/forum/site-news/ipfire/80477-ipfire-2-29-core-update-201-released-with-dns-firewall Tue, 28 Apr 2026 08:30:21 GMT
We are pleased to announce the release of IPFire 2.29 — Core Update 201, and with it, the most significant expansion of IPFire's capabilities in years. This release delivers the long-awaited DNS Firewall, a feature that transforms how IPFire protects the networks it sits in front of — along with a major toolchain rebase, a wide range of package updates, and improvements across the entire system.

For many of you, this is the release you have been waiting for. For the rest of you — once you see what it does, it will be.

Hello DNS Firewall

The wait is over. One of the most requested features in IPFire's history is finally here, and it fundamentally changes what your firewall is capable of. The DNS Firewall transforms IPFire from a network gatekeeper into an active threat eliminator — blocking malware, phishing, advertising, and unwanted content before a single byte of malicious data ever touches your network.

For full details, see the DNS Firewall documentation and the DNS Firewall roadmap page.

How it works

Every device on your network resolves domain names through IPFire's DNS proxy. The DNS Firewall sits inside that pipeline and evaluates every query against IPFire DBL — our own curated, continuously updated domain blocklist — before a response ever reaches the client. Blocked domains receive an NXDOMAIN response: to the client, the domain simply does not exist. No connection is attempted, no content is fetched, and no trace of the request leaves your network.

As a first to offer this to a large user-base, blocklist updates are delivered via IXFR — incremental DNS zone transfers directly into the DNS proxy — meaning your lists are refreshed within the hour, automatically, with no manual intervention and minimal bandwidth overhead.

Goodbye URL Filter. Goodbye Pi-hole.

If you have been running the URL Filter, you already understand the frustration: clients need explicit proxy configuration, HTTPS inspection is a minefield, and the entire approach was designed for a web that no longer exists. If you have been running a Pi-hole alongside IPFire to compensate, you have been maintaining a second device, a second software stack, and a second security boundary — all to do something your firewall should have been doing all along.

The DNS Firewall replaces both. It requires no client configuration, no additional hardware, and no compromises. Your firewall is already the single point through which all DNS traffic flows — it has always been the right place for this.

Miscellaneous Improvements

Intrusion Prevention System It is now possible to configure different recipients for daily, weekly, and monthly IDS reports — useful for teams where different people are responsible for different reporting cadences.
RISC-V Arne.F has updated the kernel configuration on the experimental build for RISC-V devices.
Network Installer The installer now allocates more disk space when booting from the network, accommodating the increased size of the ISO download.
Rust Cleanup Stefan Schantl has removed Rust packages that were no longer needed in the distribution, reducing build overhead and attack surface.
Web Proxy Firewall Rules Rules are now created with the --wait flag, preventing race conditions during rule insertion.
Toolchain Update IPFire has been rebased on the latest versions of glibc 2.43 and GNU binutils 2.46.0. These are the fundamental libraries and binary tools that underpin all userspace components inside IPFire. Keeping them current ensures better hardware support, improved security hardening, and a solid foundation for all packages built on top of them.
The following packages have been updated in this release: asciidoctor 2.0.26, BIND 9.20.20, binutils 2.46.0, ccache 4.12.3, conntrack-tools 1.4.9, coreutils 9.10, dejagnu 1.6.3, expat 2.7.4, fuse 3.18.1, gettext 1.0, glibc 2.43, harfbuzz 12.3.2, hwdata 0.404, intel-microcode 20260210, iptables 1.8.12, jansson 2.15.0, krb5 1.22.1, less 692, libgcrypt 1.12.0, libnetfilter_conntrack 1.1.1, libpng 1.6.55, libtalloc 2.4.4, libuv 1.52.0, libxcrypt 4.5.2, m4 1.4.21, ncurses 6.6, OpenVPN 2.6.19, OpenSSL 3.6.1, p11-kit 0.26.2, PAM 1.7.2, procps 4.0.6, Ruby 4.0.1, suricata-reporter 0.7, vim 9.1.2147, wireless-regdb 2026.02.04, xfsprogs 6.18.0, zlib-ng 2.3.3

Add-ons

Wireless Access Point
- The description for the Neighbourhood Scan was previously inverted and has been corrected.
- Adolf Belka has contributed a Dutch translation for this package.
Updated Add-on Packages: ddrescue 1.30, fping 5.5, Git 2.53.0, minicom 2.11, nano 8.7.1, nfs 2.8.5, Postfix 3.10.7, Samba 4.23.5, tshark 4.6.4
The 7zip package has been removed from the add-on collection. The upstream project is no longer maintained, and continuing to ship unmaintained software is not consistent with IPFire's security posture.

This release is the product of years of work — from building IPFire DBL into a category-rich, continuously maintained blocklist, to engineering IXFR-based delivery straight into the DNS proxy, to the countless smaller improvements that make it all tie together. Our thanks go to every developer, tester, and community member who helped get us here, and in particular to those who ran the testing release and sent us the feedback that made this stable release possible.

Please install this update through Pakfire as usual. As with every Core Update, we recommend rebooting after installation to ensure all components are running the new versions.

If you find a problem, please report it on the IPFire community forum or the bug tracker. And if IPFire is useful to you, please consider supporting the project — it is what keeps releases like this one possible.

More...]]> Ipfire siosios https://n00bunlimited.net/home/forum/site-news/ipfire/80477-ipfire-2-29-core-update-201-released-with-dns-firewall