On this page, you will find all fundings that have already ended.


GeoIP-based firewall rules


This crowd-funding feature is supposed to make your firewall ruleset smaller and more effective with geographically based blocking: GeoIP Block

Attackers originate from all sorts of places in the world. Often huge networks of bots scan the entire Internet for services that are publicly accessible and possible to exploit. With GeoIP-based blocking it is possible to mitigate many of those scans to take off the load of the firewall engine and to secure the services your network is offering.

In short terms: All packets that originate from an IP network registered in that country are dropped. As an example, this enables you to allow connecting to your OpenVPN server just from your own country and not from anywhere else in the world. Outgoing connections will not be filtered so that surfing on foreign sites is not affected.

It will be possible to enable this feature globally for the entire firewall ruleset or for indiviual rules, incoming and outgoing at the same time. So here are some more pretty neat use cases:

  • Stop malware. Some malicious software connects to command and control (C&C) servers in certain countries. Creating an outgoing rule that stops access from the local networks to those countries and a certain port number will stop that.
  • Allow access to remote administrations just from your own country. Unless you are travelling you will still be able to access those services from almost anywhere, but it will not work to scan your IP address for any open services from abroad.
  • If you operate a mail server which receives lots of spam from countries you usually don’t communicate that much with, you can combine the GeoIP-Block feature with the rate-limiting feature that was recently introduced. If more than a certain number of connects from that country to your mail server are open (let us say just one), you can drop all the rest. Receiving email from there will still be possible with a delay, but huge spam botnets that send you spam email in bulk will not be able to send that much spam any more.

The other features of the new firewall GUI and this new GeoIP-Block feature together make the IPFire firewall once again more powerful and enhance its use-case. Please help us implementing this feature with your donation.


Hosting for 2015


The IPFire developers payed for the main server that serves the project by themselves since the very beginning. It would help us very much getting supported with that, so here is the wish:

We pay for a dedicated machine, that hosts the essential parts of the project which is the presence on the web (website, wiki, forums, fireinfo, …). It is also used as the main mirror server.


Hosting a whole distribution is a much more advanced task than hosting a smaller project which offers only one tarball for download. Thus, Sourceforge or similar platforms are not an option for us. They would limit the project in the way we like it to be. Fireinfo is only one service which would not be possible in case we didn’t have our document-based database system for example.

We would also not be able to have our nice build infrastructure which makes the IPFire developers even more productive and is going to play a big role in the future.

Altogether, funding this part of the IPFire infrastructure would help us a lot. We still have to run the rest of the build systems and backup infrastructure. So any help is appreciated.


Integration of a DNSSEC validating DNS proxy


Pledge for integrating a DNSSEC validating DNS proxy into IPFire that secures the DNS system. Modifications of dnsmasq are necessary.


IPFire is currently using dnsmasq as a forwarding DNS proxy. That means that if there is a DNS query coming from the local network, it will be forwarded to an upstream DNS server and the response will be cached by dnsmasq. If the same or an other hosts asks for the same things again, the reply will be delivered from the local cache.

It is possible to poison that cache and possible to forge DNS responses so that users can be hijacked and data fraud can happen. The technique to prevent this is called DNSSEC:

It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

We would like to enable IPFire to validate the DNS responses so that the local networks are protected against fraud and those attacks on the DNS system. However, we need some modifications on dnsmasq to read the DHCP leases file. We therefore ask for your support to make this happen.

This is short video that explains how DNSSEC works.


Hosting 2014


The IPFire developers payed for the main server that serves the project by themselves since the very beginning. It would help us very much getting supported with that, so here is the wish:

We pay for a dedicated machine, that hosts the essential parts of the project which is the presence on the web (website, wiki, forums, fireinfo, …). It is also used as the main mirror server.


Hosting a whole distribution is a much more advanced task than hosting a smaller project which offers only one tarball for download. Thus, Sourceforge or similar platforms are not an option for us. They would limit the project in the way we like it to be. Fireinfo is only one service which would not be possible in case we didn’t have our document-based database system for example.

We would also not be able to have our nice build infrastructure which makes the IPFire developers even more productive and is going to play a big role in the future.

Altogether, funding this part of the IPFire infrastructure would help us a lot. We still have to run the rest of the build systems and backup infrastructure. So any help is appreciated.

The server is EUR 64 per month.


New Server Hardware


We are crowdfunding a new hosting infrastructure for the IPFire project. Find more about why that is needed on the IPFire Planet.

The more we are able to collect, the better will this hosting platform be, so that we don’t need to invest into extending it again in the near future. So all your help is needed to fund the following components:

  • We got donated two servers that will need
    • Four 4TB Harddisks (the bigger the better)
    • Four 256GB SSDs (for our databases)
    • Quad-NICs to interconnect to the other machines on the network

We will also have some shipping costs, labour and costs for smaller parts that are required to refurbish the machines. This does not include the running costs for the year 2016, yet.

These machines will be the basis for the IPFire Project where we will run all our public services like our web services, our jabber server, our build systems and many things more that are vital to run this project. We are looking forward to the support of you, the IPFire community.