IPFire is not only an app that you install, it is a whole operating system based on Linux, hardened and tuned to the maximum to serve as a firewall. Regular updates help keeping even the hardest kind of hacker out. The stateful inspection firewall that is working inside IPFire is one of the fastest of its kind. Configuration of even complex rulesets becomes easy with groups for hosts and services on the network and help you to keep things in order, even when it gets complicated.
About IPFire_
IPFire is a professional-grade open-source firewall and security platform trusted by thousands of organizations, businesses, and individuals around the world. Designed with a strong focus on security, performance, and flexibility, IPFire adapts to networks of all sizes—from home offices to global enterprises.
Developed and maintained by a passionate team and a vibrant community, IPFire is constantly evolving to meet today’s cybersecurity challenges. Whether you’re looking to secure a single connection or an entire infrastructure, IPFire has your back.
Advanced Firewall Engine
Based on Linux Netfilter, IPFire allows fine-grained control over incoming and outgoing traffic with support for zones, port forwarding, NAT, and stateful packet inspection.
Secure and Scalable VPN Support
IPFire supports IPsec and OpenVPN for secure site-to-site or remote access VPNs, with support for hardware acceleration and post-quantum cryptography.
Intrusion Detection & Prevention System
Powered by Suricata, IPFire detects and blocks malicious traffic in real-time using up-to-date rule sets, helping stop attacks before they cause damage.
Modular Add-on System
Customize IPFire to your needs with a wide range of installable add-ons — from monitoring tools to backup utilities.
Web Proxy with Content Filtering
IPFire includes a Squid proxy with optional URL filtering (via URLFilter or SquidGuard), helping organizations enforce usage policies and block harmful or inappropriate content.
Traffic Shaping & QoS
Prioritize essential services like VoIP or video conferencing with IPFire’s traffic shaping capabilities, ensuring bandwidth is used efficiently even under load.
Role-based Network Zones
With its unique concept of zones (Red, Green, Blue, Orange), IPFire simplifies complex firewall rules by assigning roles to networks (e.g., trusted, DMZ, Wi-Fi).
Regular Security Updates
IPFire is maintained by a dedicated team focused on security. Updates are released frequently to patch vulnerabilities and keep your systems secure.
Real-time Monitoring & Logging
Built-in tools let you monitor bandwidth usage, connections, intrusion attempts, and more — all through a user-friendly web interface.
Easy-to-Use Web Interface
IPFire provides a clean, intuitive interface for managing all aspects of your firewall — no need to touch the command line unless you want to.
Meet The Team Behind IPFire
IPFire is developed by a dedicated team of experts from around the world, united by a shared mission: to build the most secure and reliable Open Source firewall. But we’re not alone—our vibrant community plays a crucial role in making IPFire what it is today.
Michael Tremer
Arne Fitzenreiter
Stefan Schantl
Jonatan Schlag
Peter Müller
Adolf Belka
Christian Schmidt
Silvio Rechenbach
Heiner Schmeling
Kim Barthel
Sebastian Winter
Jan Paul Tücking
Robert Möker
Erik Kapfer
Alfred Haas
Daniel Weismüller
Bernhard Bitsch
Matthias Fischer
Alexander Marx
Timo Eissler
Wolfgang Apolinarski
Florian Bührle
Jon Murphy
Stephane Pautrel
Leo Hofmann
Adam Gibbons
Rico Hoppe
Stephen Cuka
The Technology Inside IPFire
Network Security
- Stateful inspection firewall
-
Builtin network segmentation
- Demilitarized Zone (DMZ)
- Separate network for wireless devices/guest network
- Flexible rule creating with groups and visual aids
- Intrusion Prevention System
- Rate Limiting to Protect Servers from DoS attacks and Maximum Connection Limits
- SYN-flood Protection New
- Country-based Firewall Rules
- Source and Destination NAT Rules
- Time-based Firewall Rules
- MAC address-based Firewall Rules
- Blocking of P2P Networks
- Connection Logging
Network Features
- VLAN (802.1q)
- Port Bridging
- Spanning Tree Protocol Support
- Wireless Access Point
- Live Connection Tracking
- Static Routes
- Dynamic Routing with Bird or FRR using BGP/OSPF
-
DHCP Server
- Static Leases
- DNS Update (RFC2136)
- Support for DHCP Options
- Network Time Server (NTP)
- Dynamic DNS Client with support for many providers
-
Captive Portal
- Terms & Conditions or Coupon
- Customizable to your corporate design
- Coupon Code Export in PDF Format
- Flexible Coupon Expiry Times
- Wake-on-LAN (WOL)
Web Proxy
- Transparent Mode
- Support for Upstream Proxies with Authentication
- Advanced Logging
- In Memory and on Disk Cache
-
Network-based Access Control (ACL)
- By IP Address
- By MAC Address
- Ban/Allow List
- Time-based Rules
- Transfer Limits based on File Size
- Download Throttling per Network Zone or Host
- Anomaly Detection based on AS Information
- MIME Type Filter
- Classroom Extensions
- Web Proxy Auto-Discovery Protocol (WPAD)
- Proxy Auto-Config (PAC)
-
Authentication
- Local User Database
- Microsoft Windows Active Directory
- LDAP
- RADIUS
-
Advanced Content Filtering
- Blocklist-based Access Blocking
- Support for Various Blocklist Providers
- Automatic List Update
- Custom Blocklists
- Custom Allowlists
- Custom Expression Lists
- Filter by File Extension
- Custom Error Page
-
Advanced Update Caching
- Microsoft Windows
- Apple Operating Systems
- Adobe
- Mozilla
- Various Anti-Virus Signatures including Avast, Avira, AVG, McAffee, Trend Micro, and Symantec
WAN Features
- Support for Fibre, DSL, Cable and 5G/4G/3G
- Multiple Public IP Addresses
- Automatic failover for dialup connections
- User-Assignable MAC Address
VPN
-
IPsec
- Net-to-Net and Net-to-Host Mode
- Support for IKEv2 and IKEv1
- Public Key and Pre-Shared-Secret Authentication
-
Encryption
- AES (CBC, GCM)
- ChaCha20-Poly1305
- Camellia
- 3DES
-
Integrity
- SHA2 512/384/256 Bit
- AES XCBC
- SHA1
- MD5
-
Key Exchange
- MLKEM for Post-Quantum Cryptography New
- Curve-25519, Curve-448
- NIST ECP-521, 384, 256, 224, or 192 Bit
- Brainpool ECP-512, 384, 256, or 224 Bit
- RSA 8192, 6144, 4096, 3072, 2048, 1536, 1024, or 768 Bit
- Hardware-accelerated Encryption
- Tunnel and Transport Mode
- Encapsulation with GRE and VTI
- Dead Peer Detection
- Perfect Forward Secrecy
- MOBIKE
- On-demand mode
- Payload Compression
- Easy connection export to Apple Mac OS/iOS devices
-
OpenVPN
- Net-to-Net and Net-to-Host Mode
- Public Key Authentication
-
Encryption
- AES (CBC, GCM)
- Camellia
- SEED
- DES/3DES
- Blowfish
- CAST5
-
Integrity
- SHA2 512, 384, or 256 Bit
- Whirpool
- SHA1
- TLS Authentication
- TLS Channel Protection
- LZO Compression
- Configuration Export/Import in ZIP Format
Quality of Service (QoS)
- Inbound & Outbound Traffic Shaping
- Latency Minimization
- Classify Traffic by IP Address, Protocol, or Ports
- Layer7 Protocol Detection
Intrusion Prevention System
- Live Deep Packet Analysis
- Graphical Rule Editor
- Support for Various Rule Providers
- Automatic Ruleset Updates
DNS
- Internal DNSSEC-validating DNS proxy
- Caching for faster DNS response times
- Local hostnames
- DNS Forwarding for Zones
- Configuration of multiple upstream DNS recursors
- Recursor/Standalone Mode
- DNS-over-TLS, TCP or UDP
- Agressive NSEC
- SafeSearch
- QNAME Minimization
Operating System
- Comfortable Web User Interface in various languages
- Simple One-Click Updates
- Configuration Backup and Restore
- Detailed System Health Reports and Graphs
- Console Access with SSH
- Serial Console
- Hardware Vulnerability Reporting
- Email Notifications
- Remote Syslog
- SNMP/Zabbix/Observium Monitoring