IPFire
ipfire.org HardwareIPFire is a hardened, versatile, state-of-the-art Open Source firewall based on Linux. Easy to install on a raspberry Pi, since it is lightweight and heavily customizable.
- Homepage: ipfire.org
- GitHub: github.com/ipfire/ipfire-2.x
- Web info: web-check.xyz/results/ipfire.org
IPFire Source Code
Author
Description
IPFire 2.x development tree
Homepage
License
Created
15 Jan 13
Last Updated
29 Apr 24
Latest version
Primary Language
Perl
Size
93,562 KB
Stars
146
Forks
69
Watchers
146
Language Usage
Star History
Top Contributors
- @mtremer (6512)
- @pmu-ipf (1570)
- @DaStevee (1314)
- @jonaschl (179)
- @jtuecking (172)
- @Leyvur (69)
- @ummeegge (67)
- @alfh (58)
- @RobinR1 (41)
- @teissler (25)
- @realglotzi (23)
- @Arne-F (21)
- @Starkstromkonsument (16)
- @jiweigert (14)
- @larsen0815 (12)
- @SaschaKilian1983 (7)
- @sonic42 (6)
- @fischerm42 (6)
- @mcbridematt (5)
- @MEitelwein (5)
- @steph78630 (5)
- @ramaxlo (4)
- @hadfl (4)
- @Smookydope (4)
- @rollopack (3)
- @dutchtux (3)
- @wapolinar (3)
- @sgislain (2)
- @ric161 (2)
- @zdroyer (2)
Recent Commits
- Michael Tremer (09 Apr 24)
suricata: Change midstream policy to "pass-flow" Pass packet isn't allowed here. Signed-off-by: Michael Tremer <[email protected]>
- Adolf Belka (08 Apr 24)
configroot: Add in LOGDROPHOSTILExxx values - I checked out doing a fresh install of CU184 and found that although the LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT entries were selected as "on" the values were not in the /var/ipfire/optionsfw/settings file. - After some investigfation I realised that when I created the LOGDROPHOSTILE split into incoming and outgoing I had not added them into the configroot lfs file. - This patch adds the two entries and this was tested out with a fresh install and confirmed to update the settings file. Tested-by: Adolf Belka <[email protected]> Signed-off-by: Adolf Belka <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (08 Apr 24)
suricata: Disable Landlock support See #13645 for details. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (08 Apr 24)
suricata: Update require paths for Landlock Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (08 Apr 24)
suricata: Enable midstream scanning We require this because Suricata might be restarted due to development or rule refreshment purposes. We should then try to resume any decoders/app-layers wherever possible. Signed-off-by: Michael Tremer <[email protected]>
- Stefan Schantl (05 Apr 24)
suricata: Set midstream-policy to pass-packet Set this value to the same as the exception-policy to keep in sync and hopefully have the same behaviour. In case this option is not set an ugly message about a not correctly set value will be logged to syslog during startup. Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Stefan Schantl (05 Apr 24)
suricata: Enable landlock security feature This will limit the suricata process to only read and write to a certain files/directories. Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Stefan Schantl (05 Apr 24)
suricata: Set exception-policy to pass-packet This simply will skip processing a packet that caused an exception and will allow Suricata to process all following packets of a flow. Reference: #13638 Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Stefan Schantl (05 Apr 24)
suricata: Update suricata.yaml Updata the configuration file for suricata 7. This includes: * Default values for newly introduced features and parsers * Enable recently added protocol parsers for HTTP2, QUIC, Telnet and Torrent * Update of URL for documentation * Fixes of various typos and other clarifications Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (03 Apr 24)
suricata: Disable fail-open on NFQUEUE This change causes that if suricata crashes, the NFQUEUE will no longer fall into a mode where ALL packets are being accepted. This used the be the case before which opened the entire firewall. If suricata randomly crashes, we will fall back to the "bypass" mode where packets will bypass suricata, but nothing else. Fixes: #13642 Signed-off-by: Michael Tremer <[email protected]>
- Arne Fitzenreiter (31 Mar 24)
core185: excplicit erase liblzma.so.5.6.* because if this file exist the cleanap script will remove the older version after downgrade and the system still use the malewared version. Signed-off-by: Arne Fitzenreiter <[email protected]>
- Michael Tremer (30 Mar 24)
frr: Bump release version Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (28 Mar 24)
frr: Update reloading all services Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (28 Mar 24)
frr: Start the management daemon, too This daemon is running the configuration validation and required to run at all times. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (28 Mar 24)
protobuf-c: Ship libraries FRR links against this and fails to start without. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (30 Mar 24)
make.sh: Update contributors Signed-off-by: Michael Tremer <[email protected]>
- Rico Hoppe (28 Mar 24)
README.md: fix minor typo Signed-off-by: Rico Hoppe <[email protected]> Reviewed-by: Michael Tremer <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Rico Hoppe (28 Mar 24)
README.md: update text & adjust links to new URLs - links for: about, documentation, help - wording: wiki to documentation Signed-off-by: Rico Hoppe <[email protected]> Reviewed-by: Michael Tremer <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (30 Mar 24)
core185: Ship new perl modules for libarchive Signed-off-by: Michael Tremer <[email protected]>
- Stefan Schantl (30 Mar 24)
ids-functions.pl: Use libarchive to extract archives This gives us a lot of benefits: * Speed up the extraction process * More supported archive types due the power of libarchive * Support of passphrase protected archives It also fixes a problem with non extracted files next to a zero sized file inside an archive. Fixes #13632. Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Stefan Schantl (30 Mar 24)
perl-Archive-Peek-Libarchive: New package As very simple XS based perl binding for libarchive to get header data and extract files. Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Stefan Schantl (30 Mar 24)
perl-Object-Tiny: New package This is a runtime dependency of perl-Archive-Peek-Libarchive Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Stefan Schantl (30 Mar 24)
perl-Config-AutoConf: New package This is only a build dependency for perl-Arhive-Peek-Libarchive and will not be installed on a system Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Stefan Schantl (30 Mar 24)
perl-Capture-Tiny: New package This is only a build dependency for perl-Config-AutoConf and will not be installed on a system Signed-off-by: Stefan Schantl <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (30 Mar 24)
core185: Ship everything that is linked against XZ This is a precautionary step to avoid that we have any issues to face because of a downgrade as new symbols have been added to liblzma 5.6.0. Furthermore, this should avoid shipping any traces of any other potential malware in XZ that has been added in 5.6.0 or after. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (30 Mar 24)
xz: Remove excess whitespace Signed-off-by: Michael Tremer <[email protected]>
- Adolf Belka (30 Mar 24)
xz: Revert back to version 5.4.5 due to backdoor issue - xz version 5.6.0 and 5.6.1 discovered to have been backdoored by what looks to have been one of the xz devs. - IPFire looks not to be affected by the problem as we don't patch openssh to be linked with liblzma - However due to question marks about what else might be in these 5.6.x versions it is better to revert back to a version that did not have the build-to-host.m4 file with the code that modifies the build if it meets certain criteria. Signed-off-by: Adolf Belka <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (26 Mar 24)
IPS: Fix how we show EOL providers There is no need to add a legend as I find it confusing. The change that people are using an EOL is rather slim and so I don't to waste space. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (26 Mar 24)
core185: Fix update.sh syntax issues Signed-off-by: Michael Tremer <[email protected]>
- Adolf Belka (25 Mar 24)
CU185-update.sh: Add drop hostile in & out logging entries if not already present - This v2 patch corrects that the previous script was looking for =on. If a user had modified the preferences to change it to =off then the script would have resulted in both =on and =off versions being in the settings file. - This patch ensures that those people who updated to CU184 before the CU184-update.sh patch fix to add the logging entries was added will get their optionsfw settings file correctly updated with CU185 - This only adds the LOGDROPHOSTILEIN & LOGDROPHOSTILEOUT entries if they do not already exist in the optionsfw settings file. - This change also does the check for LOGDROPHOSTILEIN and LOGDROPHOSTILEOUT as two separate checks and then runs the firewall update command Tested-by: Adolf Belka <[email protected]> Signed-off-by: Adolf Belka <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
IPFire Website
Website
www.ipfire.org - Welcome to IPFire
IPFire is a hardened, versatile, state-of-the-art Open Source firewall based on Linux.
Redirects
Does not redirect
Security Checks
All 66 security checks passed
Server Details
- IP Address 81.3.27.38
- Hostname fw01.ipfire.org
- Location Datteln, Nordrhein-Westfalen, Germany, EU
- ISP Visit www.ipfire.org
- ASN AS24679
Associated Countries
- US
- GB
- DE
Saftey Score
Website marked as safe
100%
Blacklist Check
www.ipfire.org was found on 0 blacklists
- ThreatLog
- OpenPhish
- PhishTank
- Phishing.Database
- PhishStats
- URLhaus
- RPiList Not Serious
- AntiSocial Blacklist
- PhishFeed
- NABP Not Recommended Sites
- Spam404
- CRDF
- Artists Against 419
- CERT Polska
- PetScams
- Suspicious Hosting IP
- Phishunt
- CoinBlockerLists
- MetaMask EthPhishing
- EtherScamDB
- EtherAddressLookup
- ViriBack C2 Tracker
- Bambenek Consulting
- Badbitcoin
- SecureReload Phishing List
- Fake Website Buster
- TweetFeed
- CryptoScamDB
- StopGunScams
- ThreatFox
- PhishFort
Website Preview
IPFire Reviews
More Firewalls
-
Provides simple and advanced ways to block access to the internet. Applications and addresses can individually be allowed or denied access to Wi-Fi and/or mobile connection.
-
Notifies you when an app is trying to access the Internet, so all you need to do is just Allow or Deny. Allows you to create filter rules based on IP address, host name or domain name, and you can allow or deny only specific connections of an app.
Not Open Source -
AFWall+
(Android - Rooted)
xdaforums.com/t/5-0-root-3-6-0-afwall-iptables-firewall-28-aug-2023.1957231Android Firewall+ (AFWall+) is an advanced iptables editor (GUI) for rooted Android devices, which provides very fine-grained control over which Android apps are allowed to access the network.
-
An open-source ad-blocker and firewall app for Android 6+ (does not require root).
-
Firewall app for iPhone, allowing you to block any connection to any domain.
Not Open Source -
Tool to control Windows Filtering Platform (WFP), in order to configure detailed network activity on your PC. (Windows)
-
Free, open source macOS firewall. It aims to block unknown outgoing connections, unless explicitly approved by the user.
-
A very polished application firewall, allowing you to easily manage internet connections on a per-app basis. (Mac OS)
Not Open Source -
Makes internet connections from all apps visible, allowing you to block or manage traffic on a per-app basis. GNU/Linux port of the Little Snitch application firewall.
-
Open source GUI firewall for Linux, allowing you to block internet access for certain applications. Supports both simple and advanced mode, GUI and CLI options, very easy to use, lightweight/ low-overhead, under active maintenance and backed by a strong community.
-
The ufw (Uncomplicated Firewall) is a GUI application and CLI, that allows you to configure a firewall using
iptables
much more easily. -
An open source firewall tool for Linux that builds upon the Netfilter system built into the Linux kernel, making it easier to manage more complex configuration schemes with iptables.
-
Enterprise firewall and router for protecting networks, built on the FreeBSD system.
About the Data: IPFire
API
You can access IPFire's data programmatically via our API.
Simply make a GET
request to:
https://api.awesome-privacy.xyz/networking/firewalls/ipfire
The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.
About the Data
Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.
Share IPFire
Help your friends compare Firewalls, and pick privacy-respecting software and services.
Share IPFire and Awesome Privacy with your network!