About IPFire_

The Open Source Firewall

IPFire_ is the world's leading Open Source firewall distribution. Businesses across the world have chosen to put their trust in our versatile, feature-rich solution with its easy-to-use web management console. Why not join them today?

Security by Design

Network segmentation is the key to a secure network. IPFire sets up a DMZ for your local infrastructure or a guest network for any visitors separating and protecting other parts of your network.

Industry-Leading Firewall Engine

Our stateful packet inspection firewall engine analyses traffic for the latest threats and performs deep packet inspection in real time. Due to our smart user interface, creating even complex setups is quick and straight-forward.

We Connect the World

We securely connect your employees to their desks at home, your global business partners and the infrastructure in your data centre, giving you maximum flexibility so that you can focus on what really matters.

Easy to Use

IPFire is managed over a web-based console which is powerful, yet easy to use. Each feature is just one click away. Advanced reporting and real time graphs give you detailed insight into your network.

Supporting Global Standards

Commonly deployed in businesses and educational organisations of all sizes, IPFire interoperates perfectly with solutions from other vendors making it an ideal drop-in replacement.

Free As In Freedom

IPFire is free software. Our community develops and reviews all changes going into the code base and IPFire is regularly audited by independent third parties. Become a part of the community and help us to continue improving IPFire!


Meet The Team

IPFire is built by a group of experts from various backgrounds and places and we could not do it without our great community around us. Support our work with your donation!

Michael Tremer

Arne Fitzenreiter

Stefan Schantl

Jonatan Schlag

Peter Müller

Adolf Belka

Christian Schmidt
Heiner Schmeling
Kim Barthel
Sebastian Winter
Jan Paul Tücking
Robert Möker
Erik Kapfer
Alfred Haas
Daniel Weismüller
Bernhard Bitsch
Matthias Fischer
Alexander Marx
Timo Eissler
Wolfgang Apolinarski
Florian Bührle
Jon Murphy
Stephane Pautrel
Leo Hofmann
Rico Hoppe

Under The Hood

IPFire is not only an app that you install, it is a whole operating system based on Linux, hardened and tuned to the maximum to serve as a firewall. Regular updates help keeping even the hardest kind of hacker out.
The stateful inspection firewall that is working inside IPFire is one of the fastest of its kind. Configuration of even complex rulesets becomes easy with groups for hosts and services on the network and help you to keep things in order, even when it gets complicated.
Network Security
  • Stateful inspection firewall
  • Builtin network segmentation
    • Demilitarized Zone (DMZ)
    • Separate network for wireless devices/guest network
  • Flexible rule creating with groups and visual aids
  • Intrusion Prevention System
  • Rate Limiting to Protect Servers from DoS attacks and Maximum Connection Limits
  • SYN-flood Protection
  • Country-based Firewall Rules
  • Source and Destination NAT Rules
  • Time-based Firewall Rules
  • MAC address-based Firewall Rules
  • Blocking of P2P Networks
  • Connection Logging
Network Features
  • VLAN (802.1q)
  • Port Bridging
  • Spanning Tree Protocol Support
  • Wireless Access Point
  • Live Connection Tracking
  • Static Routes
  • Dynamic Routing with Bird or FRR using BGP/OSPF
  • DHCP Server
    • Static Leases
    • DNS Update (RFC2136)
    • Support for DHCP Options
  • Network Time Server (NTP)
  • Dynamic DNS Client with support for many providers
  • Captive Portal
    • Terms & Conditions or Coupon
    • Customizable to your corporate design
    • Coupon Code Export in PDF Format
    • Flexible Coupon Expiry Times
  • Wake-on-LAN (WOL)
Web Proxy
  • Transparent Mode
  • Support for Upstream Proxies with Authentication
  • Advanced Logging
  • In Memory and on Disk Cache
  • Network-based Access Control (ACL)
    • By IP Address
    • By MAC Address
    • Ban/Allow List
  • Time-based Rules
  • Transfer Limits based on File Size
  • Download Throttling per Network Zone or Host
  • Anomaly Detection based on AS Information
  • MIME Type Filter
  • Classroom Extensions
  • Web Proxy Auto-Discovery Protocol (WPAD)
  • Proxy Auto-Config (PAC)
  • Authentication
    • Local User Database
    • Microsoft Windows Active Directory
    • LDAP
    • RADIUS
  • Advanced Content Filtering
    • Blocklist-based Access Blocking
    • Support for Various Blocklist Providers
    • Automatic List Update
    • Custom Blocklists
    • Custom Allowlists
    • Custom Expression Lists
    • Filter by File Extension
    • Custom Error Page
  • Advanced Update Caching
    • Microsoft Windows
    • Apple Operating Systems
    • Adobe
    • Mozilla
    • Various Anti-Virus Signatures including Avast, Avira, AVG, McAffee, Trend Micro, and Symantec
WAN Features
  • Support for Fibre, DSL, Cable and 5G/4G/3G
  • Multiple Public IP Addresses
  • Automatic failover for dialup connections
  • User-Assignable MAC Address
  • IPsec
    • Net-to-Net and Net-to-Host Mode
    • Support for IKEv2 and IKEv1
    • Public Key and Pre-Shared-Secret Authentication
    • Encryption
      • AES (CBC, GCM)
      • ChaCha20-Poly1305
      • Camellia
      • 3DES
    • Integrity
      • SHA2 512/384/256 Bit
      • AES XCBC
      • SHA1
      • MD5
    • Key Exchange
      • Curve-25519, Curve-448
      • NIST ECP-521, 384, 256, 224, or 192 Bit
      • Brainpool ECP-512, 384, 256, or 224 Bit
      • RSA 8192, 6144, 4096, 3072, 2048, 1536, 1024, or 768 Bit
    • Hardware-accelerated Encryption
    • Tunnel and Transport Mode
    • Encapsulation with GRE and VTI
    • Dead Peer Detection
    • Perfect Forward Secrecy
    • MOBIKE
    • On-demand mode
    • Payload Compression
    • Easy connection export to Apple Mac OS/iOS devices
  • OpenVPN
    • Net-to-Net and Net-to-Host Mode
    • Public Key Authentication
    • Encryption
      • AES (CBC, GCM)
      • Camellia
      • SEED
      • DES/3DES
      • Blowfish
      • CAST5
    • Integrity
      • SHA2 512, 384, or 256 Bit
      • Whirpool
      • SHA1
    • TLS Authentication
    • TLS Channel Protection
    • LZO Compression
    • Configuration Export/Import in ZIP Format
Quality of Service (QoS)
  • Inbound & Outbound Traffic Shaping
  • Latency Minimization
  • Classify Traffic by IP Address, Protocol, or Ports
  • Layer7 Protocol Detection
Intrusion Prevention System
  • Live Deep Packet Analysis
  • Graphical Rule Editor
  • Support for Various Rule Providers
  • Automatic Ruleset Updates
  • Internal DNSSEC-validating DNS proxy
  • Caching for faster DNS response times
  • Local hostnames
  • DNS Forwarding for Zones
  • Configuration of multiple upstream DNS recursors
  • Recursor/Standalone Mode
  • DNS-over-TLS, TCP or UDP
  • Agressive NSEC
  • SafeSearch
  • QNAME Minimization
Operating System
  • Comfortable Web User Interface in various languages
  • Simple One-Click Updates
  • Configuration Backup and Restore
  • Detailed System Health Reports and Graphs
  • Console Access with SSH
  • Serial Console
  • Hardware Vulnerability Reporting
  • Email Notifications
  • Remote Syslog
  • SNMP/Zabbix/Observium Monitoring