IPFire 2.29 Core Update 200: Linux 6.18 LTS and DBL Preview

The developers of the free firewall distribution IPFire have released Core Update 200 for version 2.29. The update brings Linux 6.18.7 LTS and a preview version of their Domain Blocklist system, DBL. It also includes important security fixes for OpenSSL and performance optimizations for the DNS proxy Unbound.

According to IPFire, the new kernel 6.18.7 LTS improves network performance through optimized throughput and lower latencies. It also expands packet filtering capabilities and integrates current hardware security mechanisms. For users, this means more stable connections under high load and faster packet processing.

A critical change affects ReiserFS users: the kernel has marked the file system as obsolete. Affected IPFire installations cannot install the update. Users must back up their data, set up the system anew with a modern file system like ext4 or Btrfs, and then restore the data. IPFire had already warned about this via the web interface, but migration requires planning.

DBL as Shalla List successor

With DBL (Domain Blocklist), IPFire introduces its own categorized blocklist system, developed in response to the discontinuation of Shalla-List in January 2022. The beta version allows blocking malware, phishing, advertising, pornography, gambling, gaming sites, and DoH servers. The community curates the list and updates it hourly.

DBL can be used via the URL filter for proxy blocking or via Suricata for deep packet inspection. The latter enables more comprehensive control over DNS, TLS, HTTP, and QUIC with detailed alert information. The community can report incorrect entries or add new threats via online reporting.

DBL is available under open licenses: the code is available under GPLv3+, the data under CC BY-SA 4.0. The system is compatible with Pi-hole, BIND, Unbound, pfSense, SquidGuard, and Adblock-Plus. IPFire already introduced DBL at the beginning of the year.

Performance improvements and security fixes

The DNS proxy Unbound now uses multi-threading with one thread per CPU core instead of single-threading. This parallelizes DNS queries and leads to faster response times, especially on multi-core systems with many clients. PPP now only sends LCP keepalives when inactive to save overhead on DSL, 4G, and 5G connections.

OpenSSL 3.6.1 fixes several security vulnerabilities. The most severe is CVE-2025-15467: a stack overflow in CMS/AEAD with potential remote code execution (high severity). Other fixes include CVE-2025-11187 (PKCS#12 Buffer Overflow, CVSS 6.1, medium) and CVE-2025-66199 (TLS-1.3 DoS due to large memory allocations per connection). glibc also received fixes for several CVEs (CVE-2026-0861, CVE-2026-0915, CVE-2025-15281).

Changes have been made to the OpenVPN configuration: MTU, OTP, and CA parameters are no longer stored in client configs but are centrally pushed by the server. This increases flexibility and compatibility, for example, when importing into NetworkManager. However, older clients might experience problems as a result. Central control is intended to minimize configuration errors and fragmentation issues.

DBL forms the basis for a planned DNS firewall in IPFire, which is intended to enable native content filtering at the DNS level against advertising and malware, independent of proxies. The IPFire developers thanked the community for their support through feedback and donations. Details on Core Update 200 can be found in the Release Notes.

(fo)