About IPFire

Because IPFire is more t han just a f irewal l

IPFire An Open Source Firewall Dist ribut ion
IPFire was designed wit h bot h modularit y and a high-level of f lexibilit y in mind. You can easily
deploy many variat ions of it , such as a f irewall, a proxy server or a VPN gat eway. The modular
design ensures t hat it runs exact ly what you' ve conf igured it f or and not hing more.
Everyt hing is simple t o manage and updat e t hrough t he package manager, making
maint enance a breeze.
The IPFire development t eam underst ands t hat securit y means dif f erent t hings t o dif f erent
people and cert ainly can change over t ime. The f act t hat IPFire is modular and f lexible make it
perf ect f or int egrat ing int o any exist ing securit y archit ect ure. Don' t f orget t hat ease-of -use is
a key principle. If all t his sounds a lit t le t oo much f or you, IPFire comes wit h great def ault
set t ings out -of -t he-box, meaning it ' s a snap t o get going quickly!
Above are some links t hat we encourage you t o click t hrough. Please t ake a look at all of t he
f eat ures and possibilit ies which IPFire of f ers f or your net work.
Securit y
The primary object ive of IPFire is securit y. As t here is of course no one, single way t o achieve
net work securit y, it is import ant f or a net work administ rat or t o underst and t heir environment
and what t he t ermsecurit y means in t he cont ext of t heir own net work. IPFire f orms t he base
of a secure net work. It has t he power t o segment net works based on t heir respect ive
securit y levels and makes it easy t o creat e cust om policies t hat manage each segment (see
t he Firewall page f or more inf ormat ion).
Securit y of t he modular component s is a t op priorit y. Updat es are digit ally signed and
encrypt ed, as well as can be aut omat ically inst alled by Pakf ire (t he IPFire package
management syst em). Since IPFire is t ypically direct ly connect ed t o t he Int ernet , it is going t o
be a primary t arget f or hackers and ot her t hreat s. The simple Pakf ire package manager helps
administ rat ors f eel conf ident t hat t hey are running t he lat est securit y updat es and bug f ixes
f or all of t he component s t hey ut ilize.
IPFire 2.15 - Core Updat e 77 Since IPFire 2.15 (ht t p:/ / planet .ipf ire.org/ post / f eat ure-
highlight s-ipf ire-2-15-1-hardening-t he-syst em), t he IPFire Linux kernel is pat ched wit h t he
grsecurit y (ht t p:/ / grsecurit y.net ) pat chset , which pro-act ively hardens t he kernel against
various f orms of at t acks. Most import ant ly, it prot ect s f rom zero-day exploit s by eliminat ing
ent ire bug classes and exploit vect ors. It makes st ack buf f er overf lows almost impossible t o
exploit and comes wit h st rict access cont rols, t hat make it harder f or at t ackers t o cause
harm t o t he syst em.
About IPFire
Firewall
IPFire employs a St at ef ul Packet Inspect ion (SPI) f irewall, which is built on t op of net f ilt er
(t he Linux packet f ilt ering f ramework).
During t he inst allat ion of IPFire, t he net work is conf igured int o dif f erent , separat e segment s.
This segment ed securit y scheme means t hat t here is a perf ect place f or each machine in t he
net work. These dif f erent segment s may be enabled separat ely, depending on your
requirement s. Each segment represent s a group of comput ers who share a common securit y
level:
Green Green represent s a "saf e" area. This is where all regular client s will reside. It is
usually comprised of a wired, local net work. Client s on Green can access all
ot her net work segment s wit hout rest rict ion.
Red Red indicat es "danger" or t he connect ion t o t he Int ernet . Not hing f rom Red is
permit t ed t o pass t hrough t he f irewall unless specif ically conf igured by t he
administ rat or.
Blue Blue represent s t he "wireless" part of t he local net work (chosen because it ' s
t he color of t he sky). Since t he wireless net work has t he pot ent ial f or abuse, it
is uniquely ident if ied and specif ic rules govern client s on it . Client s on t his
net work segment must be explicit ly allowed bef ore t hey may access t he
net work.
Orange Orange is ref erred t o as t he "demilit arized zone" (DMZ). Any servers which are
publicly accessible are separat ed f rom t he rest of t he net work here t o limit
securit y breaches.
IPFire 2.15 - Core Updat e 77 Wit h IPFire 2.15, t he graphical user int erf ace has been
complet ely rewrit t en and massively ext ended wit h new f unct ionalit y. It is now possible t o
manage groups of host s or services. That makes it simpler t o creat e many similar rules f or a
great number of host s, net works or services.
Managing f irewall rules has never been easier bef ore.
Because even wit h a big number of rules, t he conf igurat ion remains easily manageable and
t hat makes it possible t o build more rest rict ive conf igurat ions wit hout losing cont rol.
Securit y
Firewall
Pakf ire
Updat es
Dialup
Web Proxy
Crypt ography
VPN
Int rusion Det ect ion
Qualit y of Service
Hardware
Virt ualizat ion
Wireless Access Point
Addit ionally, t he f irewall can be used t o cont rol out bound Int ernet access f rom any segment .
This f eat ure gives t he net work administ rat or complet e cont rol over how t heir net work is
conf igured and secured.
Firewall Document at ion (ht t p:/ / wiki.ipf ire.org/ en/ conf igurat ion/ f irewall/ st art )
(ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ rules.png?v=e8c6d)
(ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ new-rule.png?v=8db69)
(ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ service-groups.png?v=4534e)
(ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ host -groups.png?v=005e6)
Pakf ire The IPFire package management syst em
From a t echnical point of view, IPFire is a minimalist ic, hardened f irewall syst em which comes
wit h an int egrat ed package manager called Pakf ire. The primary t ask of Pakf ire is t o updat e
t he syst em wit h only a single click. It is very easy t o inst all securit y pat ches, bugf ixes and
f eat ure enhancement s (/ f eat ures/ updat es), which make IPFire saf er and f ast er - or simply:
bet t er.
(ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ connect ions-1.png?v=6707c)
Anot her t ask of Pakf ire is t o inst all addit ional sof t ware t hat adds new f unct ionalit y t o t he
IPFire syst em. Some usef ul of t hem are:
File sharing services such as Samba and vsf t pd
Communicat ions server using Ast erisk
Various command-line t ools as t cpdump, nmap, t racerout e and many more.
(ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ pakf ire/ pakf ire-overview-1.png?
v=bed95)
Pakf ire as a buil d syst em
The next major release of IPFire will also ship a new generat ion of t he Pakf ire packagement
syst em. This new generat ion has been made f ast er, more secure, more easy t o handle and
adds a whole bunch of new f eat ures.
One of t his f eat ures is t hat pakf ire is now t he buildsyst em as well. Having a cust omized build
syst em f or t he needs of IPFire and t he IPFire developers improved t he development process
very much. Building new packages became a lot more easy and less t ime-consuming.
Qualit y assurance became more social right now. Check it out at pakf ire.ipf ire.org
(ht t p:/ / pakf ire.ipf ire.org/ ).
Updat es
IPFire is based on Linux, which is t he best Open Source kernel around. Addit ionally, IPFire is
not based on any ot her dist ribut ion like Knoppix is on Debian. It is compiled f rom t he sources
of every single package. This comsumes a lot of work, but f inally gives t he opport unit y t o not
rely on t he updat e cycles of ot hers. The advant ages we gain is t hat we are able t o select very
st able versions of sof t ware and build t he dist ribut ion f rom t hem. For example is t he most
(ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ pakf ire/ addon-services-1.png?
v=14eb2)
part of t he dist ribut ion quit e well t est ed and long maint ained - in cont rast t o t he kernel
which is very recent and regularly updat ed wit h pat ches t o support as much hardware as
possible and more import ant ly f ix securit y errors.
This is what makes IPFire a very st rong and hardened syst em.
To keep up t hat st rengt h and be prepared f or new hardware (/ f eat ures/ hardware), we give
out t he so called Core Updat es which are issued in about every f our weeks and updat ing
collect ed f ixes. If t here is a securit y emergency, we provide updat es in less t han a day t o
overcome zero-day holes in t he syst em.
All of t he updat es can be inst alled by t he package management syst em (/ f eat ures/ pakf ire)
and users are not if ied by mail. So in all cases, t he updat e is just a simple click and your syst em
is running saf e again.
Dialup
IPFire as an Int ernet Gat eway is able t o dialup t hrough various t echniques t o connect t o t he
Int ernet .
It support s all popular t ypes of broadband access, as well as mobile access:
VDSL VDSL is short f or Very High Dat a Rat e Digit al Subscriber Line and it current ly
of f ers bandwidt h up t o 50 Mbit / s downst ream and 10 Mbit / s upst ream.
VDSL brings t he possibilit y of using new t echnologies such as IPTV. Wit h
IPFire, a convent ional rout er can be replaced by a f ull-f ledged syst em t hat
brings t he IPTV st ream int o your own home net work.
ADSL/ SDSL Convent ional DSL is also support ed, alt hough it is t echnically called also
PPPoE or PPPoA. In some count ries, t he PPTP prot ocol is also widely used
and it is also f ully support ed by IPFire.
Et hernet Over Et hernet , IPFire can also be connect ed t o t he Int ernet and obt ain an
IP address eit her via DHCP or st at ic conf igurat ion.
4G/ 3G Mobile broadband connect ions over USB modems, which are also known
by t he names UMTS, 3G, CDMA, HSDPA or LTE are also support ed by
IPFire.
Web proxy
IPFire includes a f ull-f ledged web proxy, which is t he well-known, open-source sof t ware
Squid. It is used by ISPs, universit ies, schools and large companies use because of it s diversit y,
st abilit y and mat ure development . Even f or small home net works, it is a usef ul f eat ure. In
addit ion t o t he st at ef ul paket inspect ion (SPI) f ilt ering by t he f irewall on t he TCP/ IP layer, t he
web cont ent which is t ransmit t ed over HTTP, HTTPS or FTP can be analyzed and f ilt ered as
well.
Securit y: The client does not query web servers direct ly, it queries t he proxy f irst . The
server response goes back t o t he proxy and not t o t he client , which act ually does not
t echnically even appear on t he Int ernet . A relat ed at t ack would t heref ore primarily
reach t he proxy and not t he client . There are also f unct ions available f or dat a privacy,
which is an signif icant advant age in comparison t o a pure NAT rout er.
Aut hent icat ion: Using t he access list s, t he web proxy can also be conf igured t o allow
access only af t er a user has been aut hent icat ed. At t his point you have t he choice
bet ween LDAP, ident d, Windows, Radius or local aut hent icat ion met hods. The web
proxy can connect , f or example t o a Microsof t Windows domain cont roller and only t he
users of t hat Windows domain can be grant ed access t o t he Int ernet .
Aut horizat ion: If t he Int ernet access needs t o be limit ed t o specif ic t ime of a day, or if
it should be even complet ely disabled f or any client s, is t his easily conf igured by t he
net work-based access cont rol, which can also be f ound on t he IPFire web int erf ace.
A usef ul applicat ion f or t his f eat ure can be f or example, a school classroom.
Logging: Since each access can be logged over t he proxy, possibilit ies f or t he
examinat ion of t he accessed cont ent can be very usef ul, as well as st at ist ics and bills
can be issued af t erwards. Through t he use of a logf ile analyzer named Calamaris, log
f iles can be chart ed by varying crit eria on t he IPFire web int erf ace.
Bandwidt h management : The download management f unct ion allows f or cont rol of
t he bandwidt h t o specif ied zones. Thus, cont ent -based t hrot t ling (f or example f or
binary f iles, CD images or mult imedia cont ent ) is conf igurable wit h bandwidt h limit at ions
f or individual zones or f or each host in a part icular zone.
Cont ent f il t er
SquidGuard is a URL f ilt er add-on which is connect ed via t he redirect or mechanism of t he
proxy. The heart of SquidGuard is somet hing called a "blacklist ." This is a cont ent cont rol list
creat ed by t he of f icial sit e. These list s cont ain a number of cat egorically-classif ied websit es
and can be kept up-t o-dat e aut omat ically. There are dif f erent , independent sources f or pre-
built blacklist s available, which allow among ot her classes f ilt ering f or adult cont ent ,
shopping, warez, social net working, or sit es cont aining violent / abusive cont ent .
Individual ext ensions f or part icular domains or URLs can be set up on t he IPFire web int erf ace
f or blacklist s and whit elist s as well. IPFire also of f ers a black list edit or, t hat makes t he edit ing
and creat ing your own blacklist s quit e easy.
Possible areas of applicat ion f or t he SquidGuard on IPFire are:
Block or rest rict Int ernet cont ent condit ionally by t ime, user and/ or comput ers.
Prevent ing access t o cert ain (eg. yout h-endangering) pages and cont ent cat egories.
Hiding advert ising.
Updat e accel erat or
The Updat e Accelerat or is a f eat ure t hat can great ly accelerat e deploying updat es f or
operat ing syst ems. All downloaded updat es are cached and if request ed anot her t ime, are
delivered f rom t he cache.
For example, Service Packs f or Microsof t Windows (which of t en are several hundred
megabyt es) are cached f or f ut ure ret rieval, as well as virus scanner def init ion updat es and
ot her product updat es which t he syst em aut omat ically ident if ies. This saves a massive amount
of t ime when updat ing large amount s of comput ers (such as corporat e net works).
Transparent virus scanner
The package manager Pakf ire of f ers t he addon SquidClamAV - a virus scanner f or t he web
proxy. This checks in real-t ime all web t raf f ic f or viruses, ut ilizing t he ClamAV virus def init ions
and scanning engine.
The addit ional prot ect ion t o a convent ional virus scanner lies in t he f act t hat t he f iles are
t ransparent ly checked bef ore ever making it t o t he client machine bef ore t he client
machine' s virus scan can be perf ormed. So pot ent ially-malicious f iles are blocked by
SquidClamAV bef ore t he client ' s act ual download.
Crypt ography
Crypt ography is one of t he f oundat ions f or various services like VPNs and secure
communicat ion on t he Int ernet . Theref ore, IPFire is put t ing an emphasis on t his
t opic.
Hardware Accelerat ion
IPFire 2.15 - Core Updat e 77 IPFire can use various crypt o processors like t hose t o be f ound
in AMD Geode CPUs, t he VIA Padlock or CPU ext ensions like AES-NI of recent Int el and AMD
CPUs. These help us t o achieve much bet t er t hroughput where ever dat a is sent t hrough an
encrypt ed t unnel.
List of support ed crypt o hardware (ht t p:/ / wiki.ipf ire.org/ en/ crypt ography/ hardware)
Random Number Generat ors
IPFire 2.15 - Core Updat e 77 IPFire is also able t o use various random hardware number
generat ors t o seed t he kernel' s ent ropy pool. That ent ropy is needed t o generat e secure
keys and speeds up crypt ographic operat ions as well.
List of support ed hardware random number generat ors
(ht t p:/ / wiki.ipf ire.org/ en/ crypt ography/ ent ropy)
VPN Virt ual Privat e Net works
IPFire also includes f unct ionalit y t o creat e virt ual privat e net works (VPN). A VPN is a gat eway
which connect s remot e net works t o t he local one using an encrypt ed link. Uses f or a VPN
include business connect ions t o branch of f ices or dat acent ers, as well as providing t raveling
st af f wit h a secure port al t o t he corporat e net work.
For maximum f lexibilit y, IPFire uses bot h IPsec and OpenVPN prot ocols, giving administ rat ors
maximum f lexibilit y when conf iguring t heir VPN. Use of t hese prot ocols allows IPFire t o
connect t o a variet y of VPN endpoint devices by manuf act urers such as Cisco, Juniper,
Checkpoint , et c.
IPsec
IPsec is a widely-deployed VPN solut ion t hat was originally developed t o be used in
conjunct ion wit h IPv6. Because it was so secure and IPv6 was so slowly deployed, it was
backport ed t o secure IPv4 t raf f ic as well.
In cont rast t o SSL-VPNs, IPsec is hard t o set -up. In IPFire, we t hought about how t o make t his
t echnology easy-t o-use and as a result , t here is a web user int erf ace t hat handles all set t ings
and t akes care of t he rest of t he conf igurat ion f or you. It also keeps t he t unnels alive and re-
est ablishes t hem aut omat ically af t er a remot e sit e has lost t he connect ion. A secure
connect ion t o a branch of f ice, a business part ner, or a home of f ice is done wit hin a couple of
minut es and compat ible wit h all ot her implement at ions.
This high-level of compat ibilit y is achieved by using t he f ree implement at ion called
st rongSwan (ht t p:/ / www.st rongswan.org). It is maint ained by Andreas St ef f en, who is a
prof essor f or securit y in communicat ions and head of t he Inst it ut e f or Int ernet Technologies
and Applicat ions at t he Universit y of Applied Sciences Rapperswil, in Swit zerland.
St rongSwan also works wit h all current , major operat ing syst ems, such as Microsof t Windows
7, Microsof t Windows Vist a and Mac OS X.
OpenVPN
OpenVPN is a f requent ly-encount ered and most popular represent at ive of t he class of Open
Source SSL VPNs. It s relat ive ease of conf igurat ion has again, been made easier by t he IPFire
web int erf ace. The f irewall set t ings are cont rolled by IPFire aut omat ically, as well as t he
required cert if icat es will be generat ed wit h a f ew mouse clicks and can be downloaded and
dist ribut ed as a very compact client package.
Due t o it s high compat ibilit y t o all sort s of operat ing syst ems, such as Microsof t Windows,
Mac OSX, Linux, Android and many more, it is perf ect ly usef ul f or roadwarrior connect ions.
Wit h t hose, it is easy t o connect your lapt op, phone, t ablet or ot her devices t o your company
net work, which makes it easy t o work f rom anywhere in t he world.
But besides connect ing port able devices, OpenVPN can also be used t o securely connect
branches t o t he headquat er. This makes it easy t o access resources on ot her net works
remot ely wit hout any complicat ed conf igurat ion on each client on your local net work.
Int rusion det ect ion syst em
An Int rusion Dect ion Syst em (or IDS), is a piece of sof t ware designed t o det ect at t acks
against comput er syst ems and net works. Thereby t he IDS will analyze t he net work t raf f ic and
search f or at t ack samples. If someone scans t he port s of t he IPFire-Syst em t o see which
services are available, t he IDS will immediat ely not ice it .
An Int rusion Prevent ion Syst em (or IPS), in addit ion t o t he det ect ion syst em, will perf orm
act ions. The IPS get s t he inf ormat ion f rom t he IDS and react s accordingly. That means,
recalling t he example above wit h t he port scan, t he syst em would aut omat ically block t he
at t acker immediat ely in order t o prevent f urt her inquiries.
It is possible t o use IDS and IPS on t he IPFire syst em. We call t his syst em "Int rusion Det ect ion
and Prevent ion Syst em" (or IDPS). A very import ant deput y of t his syst em is Snort , t he f ree
Net work Int rusion Dect ion Syst em (NIDS). It analyzes t he net work t raf f ic and if somet hing
abnormal happens, it will log t he event . IPFire gives you t he possibilit y t o see it very explicit ly
in t he web int erf ace.
For aut omat ic prevent ion, IPFire has an add-on called Guardian which can be inst alled
opt ionally.
An IDPS is a wise addit ion t o t he normal packet f ilt er. It makes int elligent decisions about
incoming and out going net work t raf f ic and how t o deal wit h it .
Qualit y of Service
Qualit y of Service (QoS) is able t o save t he qualit y of a service on one int ernet connect ion.
This means t hat on a highly-ut ilized int ernet connect ion, a service (f or example VoIP) get s a
st able size of bandwidt h, t o t ransf er t he inf ormat ion wit hout delay and wit hout loss. This is
at t he expense of t he ot her dat a f lows on t he line, which is t olerat ed, albeit t ransmit t ed
more slowly (such as a f ile upload t o an FTP server).
QoS does not only increase t he f unct ionalit y of real-t ime services, but also of f ers a lit t le bit
of overall improvement . For example:
Connect ions est ablish much f ast er. This is works very well on busy links.
Connect ions are much more st able. Every service get s a minimum, guarant eed
amount of bandwidt h.
For t he classif icat ion of t he packet s, a Level-7-Filt er is used. It also analyses t he cont ent , as
well as t he source-port s/ IPs, and dest inat ion-port s/ IPs of t he packet s. Wit h t hat analysis, it
will decide if it ' s a long download or a real-t ime prot ocol and t hen subsequent ly det ermines
t he opt imal use of t he connect ion.
To put all in a nut shell, QoS reduces t he lat ency and packet loss of an int ernet connect ion.
This is cert ainly a f unct ion t hat you don' t want t o miss where bandwidt h is limit ed.
Hardware
Since IPFire is based on a recent version of t he Linux kernel, it support s most of t he lat est
hardware such as 10Gbit net work cards and a variet y of wireless hardware out of t he box.
The IPFire developers are very concerned wit h t he abilit y t o run IPFire as many syst em
variat ions as possible. This helps IPFire t o run on older or cheap hardware, as well as high-
perf ormance syst ems.
Minimum syst em requirement s are an Int el Pent ium I (i586), 128MB RAM and 2GB hard drive
space.
Some add-ons have ext ra requirement s t o perf orm smoot hly. On a syst em t hat f it s t he
hardware requirement s, IPFire is able t o serve hundreds of client s simult aneously.
Heads up: More archit ect ures in development !
The IPFire project is always int erest ed in creat ing syst ems which save t he environment . The
ARM archit ect ure consumes much less power and cert ainly has a lot of pot ent ial.
Virt ualizat ion
(ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ hardware/ hwt emp-1.png?v=4c4c0)
IPFire brings many f ront -end drivers f or high-perf ormance virt ualizat ion and can be run as
virt ual guest operat ing syst em on t he f ollowing virt ualizat ion plat f orms. It has also been
opt imized t o some of t he most ly dist ribut ed ones t o bring t he best possible perf ormance
wit hout impact ing t he hardware very much.
Support ed hypervisors
KVM
KVM (ht t p:/ / www.linux-kvm.org) is short f or Kernel-based Virt ual Machine and is developed
by Red Hat Inc. (ht t p:/ / www.redhat .com). It is becoming t he most advanced hypervisor and
succeeding Xen, which has been used so f ar.
IPFire is coming wit h t he virt io kernel modules, t hat have best perf ormance due t o very less
virt ualizat ion overhead.
VMware
IPFire runs on dif f erent VMware product s like vSphere, ESXi and VMware workst at ion. The
addit ional package open-vm-t ools of f ers t ools f or a bet t er int egrat ion.
Xen
Xen has recent ly been t he de-f act o Open Source hypervisor but is now succeeded by KVM.
IPFire can opt ionally be run wit h a paravirt ualized kernel, which has very less virt ualizat ion
overhead as well. To make t he inst allat ion very easy, a pregenerat ed Xen image can be
downloaded f rom t he download page.
Ot hers
IPFire is not limit ed t o t he hypervisors described above. It runs perf ect ly on Qemu, Microsof t
Hyper-V or Oracle Virt ualBox, t oo.
A not e on virt ualizat ion
Virt ualizat ion does have advant ages, but it is not wit hout disadavant ages. There is always t he
possibilit y t hat t he VM cont ainer securit y can be bypassed in some way and a hacker can gain
access beyond t he VM. Because of t his, it is not suggest ed t o use IPFire as a virt ual machine in
a product ion-level environment .
Press (/ press) Imprint (ht t p:/ / www.ipf ire.org/ imprint ) 2014 - IPFire is f ree sof t ware
Wireless Access Point
IPFire of f ers several opt ions f or t he int egrat ion of wireless client s. First , an access point can
be connect ed via a LAN card. In t his scenario, IPFire of f ers MAC/ IP address f ilt ering t o allow
only aut horized client s. The client s are allowed by def ault t o access t he Int ernet , but t hey are
not allowed access t he local LAN. The second opt ion is t o inst all a wireless LAN (WLAN) card
in t he IPFire machine t hat t akes t he f unct ionalit y of t he access point over, using t he add-on
"host apd". This add-on support s bot h unencrypt ed and WPA/ WPA2-encrypt ed connect ions.
Also t he use of 5 GHz (802.11a st andard) is possible if t he wireless card support s it .
Wireless card support in IPFire is excellent . The drivers in t he st able kernel are very up-t o-
dat e and IPFire t heref ore support s a signif icant amount of WLAN cards.
(ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ virt ualizat ion/ virt -manager-1.png?
v=a4a1f )