The IPFire development team has announced the release of IPFire 2.29 Core Update 194, bringing significant security improvements and feature enhancements to the popular open-source firewall distribution.
This update, released on March 17, 2025, continues the project’s commitment to providing a secure, high-performance network security solution for organizations of all sizes.
At the core of this release is the updated Linux kernel 6.12.23, which delivers important security and stability fixes. Linux 6.12, first introduced to IPFire in Core Update 192, has already demonstrated improvements in encryption performance, with up to 162% faster AES-GCM encryption/decryption on supported Intel and AMD processors, directly benefiting IPsec throughput.
.png
)
Several critical security vulnerabilities have been addressed in this update. The included expat 2.7.1 package fixes CVE-2024-8176, a stack overflow vulnerability in the libexpat library that could potentially lead to denial of service attacks or memory corruption when parsing XML documents with deeply nested entity references.
The xz 5.8.1 update also resolves CVE-2025-31115, a critical vulnerability that could allow for arbitrary code execution through manipulated compressed files.
The firewall functionality has been enhanced with a significant change to outgoing connection handling. Previously, outgoing connections using an Alias IP address would be Network Address Translated (NAT) to the default IP address on the RED interface. This behavior has been modified to maintain the original alias IP address, providing more consistent and predictable network traffic flow.
Linux Firewall IPFire 2.29 Core Update 194 Enhancements
| Enhancement | Description |
|---|---|
| Kernel Update | Linux 6.12.23 with security/stability fixes |
| Critical Vulnerability Fixes | CVE-2024-8176 (expat), CVE-2025-31115 (xz) |
| libidn2 Adoption | Modern, secure IDN handling |
| Alias IP NAT Change | Maintains accurate source IP, improves traffic security |
| IPsec Certificate Renewal | Ensures up-to-date VPN credentials |
| Package Updates | Security patches for core and add-on packages |
| Pakfire Interface Improvements | Reduces risk of misconfiguration |
A notable infrastructure improvement comes with the replacement of libidn with libidn2 throughout the distribution. This change aligns with industry best practices, as libidn2 provides better compatibility with IDNA 2008 standards and offers enhanced security features compared to its predecessor.
The Pakfire package management system, which handles updates and add-ons, has received significant usability improvements. Developer Stephen Cuka contributed enhancements that make the controls more intuitive and clearer, while also improving language translations for international users.
For network monitoring, Zabbix has been updated to version 7.0.11 LTS, which introduces several bug fixes and improvements. Users should note that this represents a major version upgrade that breaks compatibility with Zabbix Server 6.x installations.
Other updated packages include BIND 9.20.8, ca-certificates 20250317, dbus 1.16.2, and numerous system libraries. Popular add-ons have also been refreshed, including Bacula 15.0.2, FFmpeg 7.1.1, Git 2.49.0, and Samba 4.22.0.
The IPFire team recommends that all users upgrade to this release as soon as possible to benefit from these security enhancements and improvements. As with all major updates, users are advised to back up their configurations before upgrading and test the new release in non-critical environments first.
Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download
