On this page, you will find all fundings that have already ended.

GeoIP-based firewall rules

This crowd-funding feature is supposed to make your firewall ruleset smaller and more effective with geographically based blocking: GeoIP Block

Attackers originate from all sorts of places in the world. Often huge networks of bots scan the entire Internet for services that are publicly accessible and possible to exploit. With GeoIP-based blocking it is possible to mitigate many of those scans to take off the load of the firewall engine and to secure the services your network is offering.

In short terms: All packets that originate from an IP network registered in that country are dropped. As an example, this enables you to allow connecting to your OpenVPN server just from your own country and not from anywhere else in the world. Outgoing connections will not be filtered so that surfing on foreign sites is not affected.

It will be possible to enable this feature globally for the entire firewall ruleset or for indiviual rules, incoming and outgoing at the same time. So here are some more pretty neat use cases:

  • Stop malware. Some malicious software connects to command and control (C&C) servers in certain countries. Creating an outgoing rule that stops access from the local networks to those countries and a certain port number will stop that.
  • Allow access to remote administrations just from your own country. Unless you are travelling you will still be able to access those services from almost anywhere, but it will not work to scan your IP address for any open services from abroad.
  • If you operate a mail server which receives lots of spam from countries you usually don’t communicate that much with, you can combine the GeoIP-Block feature with the rate-limiting feature that was recently introduced. If more than a certain number of connects from that country to your mail server are open (let us say just one), you can drop all the rest. Receiving email from there will still be possible with a delay, but huge spam botnets that send you spam email in bulk will not be able to send that much spam any more.

The other features of the new firewall GUI and this new GeoIP-Block feature together make the IPFire firewall once again more powerful and enhance its use-case. Please help us implementing this feature with your donation.

RAID support for high-availability

With this wish we would like to fund working on supporting software-based RAID for IPFire.

IPFire is widely used in the professional area. Enterprises rely on the great software but sometimes forget that reliable hardware is required, too. Harddisks are one of the most likely components to fail which then results in a huge downtime until the system has been reinstalled and was set up again. This could cause huge costs because of idle employees.

To overcome this problem we would like to implement RAID support for IPFire right in the installer of the system. This will enable everyone to install IPFire on a RAID-1 setup with two harddisks or SSDs. We are going to use software RAIDs for this purpose because of various issues with hardware RAID controllers. Those are fragile and if they break they require owning an identical second one to backup data from the disks. With the software-based approach, you will be able to use any Linux system to mount the disks again and recover any data if required. They are also usally much faster with modern hardware and of course save you a lot of money because they do not require any additional hardware. Hardware RAID controllers are usually very expensive.

We are also planning on having good monitoring in case if any device fails. The administrator of the system will then see an alert notification that a disk has failed and needs replacement.

Please help us funding this wish. The new functionality will help IPFire to become even more suitable for use in companies where high availability is an important requirement. This is a great solution which works for everyone and will additionally boost the disk performance and saves you buying an expensive hardware RAID controller.

Integration of a DNSSEC validating DNS proxy

Pledge for integrating a DNSSEC validating DNS proxy into IPFire that secures the DNS system. Modifications of dnsmasq are necessary.

IPFire is currently using dnsmasq as a forwarding DNS proxy. That means that if there is a DNS query coming from the local network, it will be forwarded to an upstream DNS server and the response will be cached by dnsmasq. If the same or an other hosts asks for the same things again, the reply will be delivered from the local cache.

It is possible to poison that cache and possible to forge DNS responses so that users can be hijacked and data fraud can happen. The technique to prevent this is called DNSSEC:

It is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.

We would like to enable IPFire to validate the DNS responses so that the local networks are protected against fraud and those attacks on the DNS system. However, we need some modifications on dnsmasq to read the DHCP leases file. We therefore ask for your support to make this happen.

This is short video that explains how DNSSEC works.

Hosting 2014

The IPFire developers payed for the main server that serves the project by themselves since the very beginning. It would help us very much getting supported with that, so here is the wish:

We pay for a dedicated machine, that hosts the essential parts of the project which is the presence on the web (website, wiki, forums, fireinfo, …). It is also used as the main mirror server.

Hosting a whole distribution is a much more advanced task than hosting a smaller project which offers only one tarball for download. Thus, Sourceforge or similar platforms are not an option for us. They would limit the project in the way we like it to be. Fireinfo is only one service which would not be possible in case we didn’t have our document-based database system for example.

We would also not be able to have our nice build infrastructure which makes the IPFire developers even more productive and is going to play a big role in the future.

Altogether, funding this part of the IPFire infrastructure would help us a lot. We still have to run the rest of the build systems and backup infrastructure. So any help is appreciated.

The server is EUR 64 per month.

New Server Hardware

We are crowdfunding a new hosting infrastructure for the IPFire project. Find more about why that is needed on the IPFire Planet.

The more we are able to collect, the better will this hosting platform be, so that we don’t need to invest into extending it again in the near future. So all your help is needed to fund the following components:

  • We got donated two servers that will need
    • Four 4TB Harddisks (the bigger the better)
    • Four 256GB SSDs (for our databases)
    • Quad-NICs to interconnect to the other machines on the network

We will also have some shipping costs, labour and costs for smaller parts that are required to refurbish the machines. This does not include the running costs for the year 2016, yet.

These machines will be the basis for the IPFire Project where we will run all our public services like our web services, our jabber server, our build systems and many things more that are vital to run this project. We are looking forward to the support of you, the IPFire community.