IPFire
ipfire.orgA hardened, versatile, state-of-the-art open source firewall based on Linux. Its ease of use, high performance and extensibility make it usable for everyone.
- Homepage: ipfire.org
- GitHub: github.com/ipfire/ipfire-2.x
- Web info: web-check.xyz/results/ipfire.org
IPFire Source Code
Author
Description
IPFire 2.x development tree
Homepage
License
Created
15 Jan 13
Last Updated
03 Sept 24
Latest version
Primary Language
Perl
Size
92,477 KB
Stars
157
Forks
73
Watchers
157
Language Usage
Star History
Top Contributors
- @mtremer (6963)
- @pmu-ipf (1587)
- @DaStevee (1334)
- @jonaschl (179)
- @jtuecking (172)
- @Leyvur (69)
- @ummeegge (67)
- @alfh (58)
- @RobinR1 (42)
- @teissler (25)
- @realglotzi (23)
- @Arne-F (21)
- @Starkstromkonsument (16)
- @jiweigert (14)
- @larsen0815 (12)
- @SaschaKilian1983 (7)
- @sonic42 (6)
- @fischerm42 (6)
- @mcbridematt (5)
- @MEitelwein (5)
- @steph78630 (5)
- @ramaxlo (4)
- @hadfl (4)
- @Smookydope (4)
- @wapolinar (3)
- @dutchtux (3)
- @ric211 (3)
- @rollopack (3)
- @lentferj (2)
- @JonMurphy (2)
Recent Commits
- Michael Tremer (03 Sept 24)
core188: Ship OpenSSL Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (03 Sept 24)
openssl: Update to 3.3.2 Possible denial of service in X.509 name checks (CVE-2024-6119) =============================================================== Severity: Moderate Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process. Impact summary: Abnormal termination of an application can a cause a denial of service. Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an `otherName` subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program. Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address. TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a "reference identifier" (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. OpenSSL 1.1.1 and 1.0.2 are also not affected by this issue. OpenSSL 3.3, 3.2, 3.1 and 3.0 are vulnerable to this issue. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (29 Aug 24)
.gitignore: Keep ignoring the deleted doc files Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (28 Aug 24)
make.sh: Don't try to create a time NS on older kernels This is not supported on kernels < 5.6. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (28 Aug 24)
make.sh: Bind-mount /proc as a workaround for unshare unshare seems to want to change the mount propagation for /proc before it has been mounted. In order to workaround that problem, we bind-mount /proc to itself before. Signed-off-by: Michael Tremer <[email protected]>
- Adolf Belka (26 Aug 24)
openssl: Update to version 3.3.1 - Update from 3.3.0 to 3.3.1 - Update of rootfile not required - This version has 2 CVE fixes both of which are classified as Low Severity so looks like they can wait for CU189 - Changelog 3.3.1 * Fixed potential use after free after SSL_free_buffers() is called. The SSL_free_buffers function is used to free the internal OpenSSL buffer used when processing an incoming record from the network. The call is only expected to succeed if the buffer is not currently in use. However, two scenarios have been identified where the buffer is freed even when still in use. The first scenario occurs where a record header has been received from the network and processed by OpenSSL, but the full record body has not yet arrived. In this case calling SSL_free_buffers will succeed even though a record has only been partially processed and the buffer is still in use. The second scenario occurs where a full record containing application data has been received and processed by OpenSSL but the application has only read part of this data. Again a call to SSL_free_buffers will succeed even though the buffer is still in use. ([CVE-2024-4741]) * Fixed an issue where checking excessively long DSA keys or parameters may be very slow. Applications that use the functions EVP_PKEY_param_check() or EVP_PKEY_public_check() to check a DSA public key or DSA parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error reason. ([CVE-2024-4603]) * Improved EC/DSA nonce generation routines to avoid bias and timing side channel leaks. Signed-off-by: Adolf Belka <[email protected]> Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (27 Aug 24)
core-updates: Honour the excluded file list This was not implement when refactoring the code to compress the updater's tarball. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (23 Aug 24)
make.sh: Integrate the rootfile consistency check Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (23 Aug 24)
make.sh: Refactor the broken rootfile check Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (23 Aug 24)
core-update: Append the release number to the meta file Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (23 Aug 24)
Merge branch 'next'
- Michael Tremer (23 Aug 24)
Run "./make.sh lang" Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (23 Aug 24)
make.sh: Fix printing the total build time Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
Revert "make.sh: Swap mount propagation" This reverts commit f3c360cd6e8daf0431f684bfad9c55f64bad6c7f. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
make.sh: Remove the brackets from build options Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
core188: Ship suricata and arping because of SO bump in libnet Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
core188: Ship lang.pl Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
guardian.cgi: Use the new service widget Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
header.pl: Fix language loading We have been importing the language files many times when they are actually rather slow. This just tidies this up. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
header.pl: Remove an unused variable Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
lang.pl: Fix all sorts of whitespace issues No functional changes. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
index.cgi: Improve the warning box Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
samba.cgi: Fix styling of the configuration form Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
samba.cgi: Use the new service status widget Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
firewall.cgi: Fix messy table striping Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
CSS: Make the black less agressive Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
services.cgi: Search for suricata by its PID suricata renames itself and therefore we cannot find the process by its name. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
vpnmain.cgi: Fix colouring of the connection status when disconnected Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (21 Aug 24)
unbound-dhcp-leases-bridge: Watch unbound This patch adds a watcher thread which monitors if Unbound is still alive. If not, it will wait until Unbound comes back, rewrite the leases file and reload Unbound to get it back into sync. Afterwards Unbound will receive updates as usual. Signed-off-by: Michael Tremer <[email protected]>
- Michael Tremer (20 Aug 24)
make.sh: Remove all traces of KCFG This variable is no longer been used and has been abused way too much in the past. May it rest in pieces. Signed-off-by: Michael Tremer <[email protected]>
IPFire Website
Website
www.ipfire.org - Welcome to IPFire
IPFire is a hardened, versatile, state-of-the-art Open Source firewall based on Linux.
Redirects
Does not redirect
Security Checks
All 66 security checks passed
Server Details
- IP Address 81.3.27.38
- Hostname fw01.ipfire.org
- Location Datteln, Nordrhein-Westfalen, Germany, EU
- ISP Visit www.ipfire.org
- ASN AS24679
Associated Countries
- US
- GB
- DE
Saftey Score
Website marked as safe
100%
Blacklist Check
www.ipfire.org was found on 0 blacklists
- ThreatLog
- OpenPhish
- PhishTank
- Phishing.Database
- PhishStats
- URLhaus
- RPiList Not Serious
- AntiSocial Blacklist
- PhishFeed
- NABP Not Recommended Sites
- Spam404
- CRDF
- Artists Against 419
- CERT Polska
- PetScams
- Suspicious Hosting IP
- Phishunt
- CoinBlockerLists
- MetaMask EthPhishing
- EtherScamDB
- EtherAddressLookup
- ViriBack C2 Tracker
- Bambenek Consulting
- Badbitcoin
- SecureReload Phishing List
- Fake Website Buster
- TweetFeed
- CryptoScamDB
- StopGunScams
- ThreatFox
- PhishFort
Website Preview
IPFire Reviews
More Self-Hosted Network Security
-
Network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole. Pi-Hole can significantly speed up your internet, remove ads and block malware. It comes with a nice web interface and a mobile app with monitoring features, it's open source, easy to install and very widely used.
-
Another DNS server for blocking privacy-invasive content at its source. Technitium doesn't require much of a setup, and basically works straight out of the box, it supports a wide range of systems (and can even run as a portable app on Windows). It allows you to do some additional tasks, such as add local DNS addresses and zones with specific DNS records. Compared to Pi-Hole, Technitium is very lightweight, but lacks the deep insights that Pi-Hole provides, and has a significantly smaller community behind it.
-
A simple way to set up a home VPN on any Debian server. Supports OpenVPN and WireGuard with elliptic curve encryption keys up to 512 bit. Supports multiple DNS providers and custom DNS providers - works nicely along-side PiHole.
-
Powerful open source web content filter.
-
Widely used, open source firewall/router.
-
Detect if you have a malware-infected computer on your network, and powerful network analysis framework and monitor.
-
Open-source self-hosted VPN and firewall built on WireGuard®.
About the Data: IPFire
API
You can access IPFire's data programmatically via our API.
Simply make a GET
request to:
https://api.awesome-privacy.xyz/networking/self-hosted-network-security/ipfire
The REST API is free, no-auth and CORS-enabled. To learn more, view the Swagger Docs or read the API Usage Guide.
About the Data
Beyond the user-submitted YAML you see above, we also augment each listing with additional data dynamically fetched from several sources. To learn more about where the rest of data included in this page comes from, and how it is computed, see the About the Data section of our About page.
Share IPFire
Help your friends compare Self-Hosted Network Security, and pick privacy-respecting software and services.
Share IPFire and Awesome Privacy with your network!