Tweet
The IPFire development team is excited to bring you Core Update 200 – a major milestone in the project's history! This release ships with Linux kernel 6.18 LTS, an exciting preview of IPFire DBL (our new domain blocklist system), numerous package updates, performance improvements, security fixes, and plenty of general awesomeness throughout. We're grateful to our community for their continued support in reaching this 200th update, and we hope you enjoy what we've built for you.
Kernel 6.18
The IPFire kernel has been rebased on Linux 6.18.7. This new long-term supported release brings various security, performance and stability improvements. This update brings general improvements to network throughput and latency, enhanced packet filtering capabilities, and the latest hardware security mitigations.
Furthermore, the Linux developers have deprecated support for ReiserFS. If your IPFire installation is running on this filesystem, you will have seen a note on the web user interface for some time and you won't be able to install the update. Instead you will have to re-install using IPFire with a supported file system.
IPFire Domain Blocklist - or DBL
Since the infamous Shalla list has been retired, the IPFire web proxy has been in need of a stable source of domains to block if you wish to filter any malware, social networks or adult content from your network. Due to the lack of good sources, and the general desire to provide a solid domain block list to our users, we have now started our own. It is in its baby stages right now and we will have a lot of excitement to share about this in the near future, but for now it will be available in two places:
- URL Filter: You can now use IPFire DBL to block any access through the proxy
- Suricata: With launching IPFire DBL, we are now becoming a Suricata rules provider, too. With the new database, you will be able to block any access to banned sites even more thoroughly by allowing the IPS to perform deep packet inspection on DNS/TLS/HTTP/QUIC connections.
This is currently in an early beta stage and we are happy to receive your feedback and support.
Misc.
- Intrusion Prevention System
- In the last update, it was introduced that Suricata could store signatures in a pre-compiled cache. That cache grew without bounds and could consume significant disk space. In this update, we back ported a patch so that Suricata will automatically cleanup any unused signatures.
- The reporter has been updated to include additional information for any alerts using DNS, HTTP, TLS, or QUIC where the hostname and more information will be shown in the alert emails or PDF reports. This will help admins to further investigate any corporate policy violations.
- OpenVPN:
- The client configuration will no longer include the MTU. Instead, it will be pushed by the server so that the admin has the liberty to change it later. Some older clients might not support this change.
- Likewise, the OTP auth token will be pushed by the server if the client has OTP enabled.
- The client configuration files will no longer include the CA as it is already included in the PKCS12 container. This caused problems when importing connections using NetworkManager on command line.
- Wireless Access Point
- Support for 802.11a/g has been re-introduced
- Unintentionally, hostapd could log a lot of debugging information if debugging was enabled before
- PSK values that include more special characters will now be accepted
- Unbound, the IPFire DNS Proxy, will now launch one thread per CPU code. Formerly it used to run single-threaded, but we expect quicker response times from launching multiple concurrent threads.
- PPP: IPFire will now only send LCP keep alive packets when there is no traffic. This will slightly save on overhead on DSL and 5G/4G connections.
- UI
- The DNS page will now consistently show the legend.
- OpenSSL has been update to version 3.6.1 and patches against the following vulnerabilities: CVE-2025-11187, CVE-2025-15467, CVE-2025-15468, CVE-2025-15469, CVE-2025-66199, CVE-2025-68160, CVE-2025-69418, CVE-2025-69419, CVE-2025-69420, CVE-2025-69421, CVE-2026-22795, CVE-2026-22796.
- glibc has been patched against CVE-2026-0861, CVE-2026-0915 and CVE-2025-15281
- Updated packages - and as usual, it is a lot: Apache 2.4.66, bash 5.3p9, BIND 9.20.18, coreutils 9.9, cURL 8.18.0, dhcpcd 10.3.0, elinks 0.19.0, glib 2.87.0, GnuPG 2.4.9, GnuTLS 3.8.11, harfbuzz 12.3.0, hwdata 0.403, iana-etc 20251215, intel-microcode 20251111, libarchive 3.8.5, libcap-ng 0.9, libgpg-error 1.58, libidn2 2.3.8, libjpeg 3.1.3, libpcap 1.10.6, libplist 2.7.0, libpng 1.6.53, libtasn1 4.21.0, liburcu 0.15.5, libxcrypt 4.5.1, LVM2 2.03.38, mdadm 4.5, memtest 8.00, meson 1.10.1, newt 0.52.25, ninja 1.13.2, oath-toolkit 2.6.13, OpenVPN 2.6.17, OpenSSL 3.6.1, SQLite 3.51.100, tzdata 2025c, readline 8.3p3, strongSwan 6.0.4, suricata 8.0.3, suricata-reporter 0.6, Rust 1.92.0, Unbound 1.24.2, wireless-regdb 2025.10.07, vim 9.1.2098, xz 5.8.2
- Updated add-ons: alsa 1.2.15.3, ClamAV 1.5.1, dnsdist 2.0.2, fetchmail 6.6.0, gdb 17.1, Git 2.52.0, fort-validator 1.6.7, freeradius 3.2.8, libtpms 0.10.2, opus 1.6.1, postfix 3.10.6, samba 4.23.4, strace 6.18, tmux 3.6a, Tor 0.4.8.21, tshark 4.6.3
More...
