Adding a new zone to IPFire

Hi everyone, I was looking at adding a new firewall zone after looking at some people’s questions and would help out in new network setups.

Currently I use the orange network with a few rules added to make the same network zone I want to set up. But if I needed a DMZ I would have to build this extra zone.

Since this zone is accessible across the inside network (green, blue and orange) technically it wouldn’t need a dedicated interface, but it might make sense to do that for organisational purposes and to extend it out on a vlan by itself.

This zone rules would be access to green, blue and orange, deny red.
Color for the zone, I think Gold would be a good color to use.

Is your plan to make a addon to add a zone?

As an addon would be preferred, The only thing I don’t know how to do yet is make it so the user can select the available interface and ip for Gold0 at the install point.

:thinking:
Think about it,
How will you explain the new zone to new users?
How will you show the color gold on the diagrams?
:wink:

Regards

What would it’s default zone behavior be.
Blocked all zones?

I think we should discuss this since it effects the group.

But the one global rule I don’t see is an exclusive inside networking.

So Gold would have access to green, blue, and orange, deny red.

then there would be a default network devices and servers not involved with the internet ( CA server, media servers, NTP servers and home automation, ipmi, NAS ) that if needed, could be granted access to red individually.

Also, I been thinking this network could be ipv4 and ipv6, but only ipv4 can access red if assigned to a device. So no 6 to 4 bridge is not needed to be set up.

I would think blocking access to other zone would be the preferred default.
Even block all zones. Easy to work with.

Well I would call it Devices, on the main page.

so the main page would look like this:

And the default firewall rules diagram would look like this:

as the color gold, I would use the CSS color name gold. with black font letters.

Since someone is editing all of this, the font in the orange should be black to make it more readable.

It would be easier to set up as everything is denied already unless you purposely invert the default firewall rules.

The only additional thing would be displaying this default behaviour in the firewall rules page. Which that would be adding a line and column to the charts that are under the firewall configuration chart.

Also the Gold column would be added to the zone configuration page.

Is you plan to add 1 additional zone?
Or to name and add multiple zones one at a time?

I was thinking just adding one for now as the current setup would suffice 90% of the businesses and residential and adding the fourth one should take care of 9% that have to modify parts of a zone to do the same function that gold would do.

The name devices isn’t written in stone yet, so if you think Inside or IOT or something else would be a better name for it, I’m open for suggestions.

Are you working on a solution?
I’m asking, because there is no discussion in the dev mail list.

Its been something I’ve been thinking about for quite some time. Since I’m finished for now assisting others with Linux Main, I need to get into the dev loop here and join IPFire’s dev mailing list.

You (and everyone else of course) can join with an easy click here: (nevermind)

1 Like

One issue I am having is when I click the subscribe button, I get a 404 error.

There might be some bug in that page.

Try this page from the wiki, which has a link to the main development subsribe page
https://www.ipfire.org/docs/devel/mailing-lists

1 Like

Here is the list of mailing lists from the IPFire website Sitemap link.

https://lists.ipfire.org/postorius/lists/?count=100

1 Like

Thank you.
I subscribe by email.
The login doesn’t work for some reason, but at least I’m signed up.

Now I just need to bookmark the dev mailing pages so I can see what people are working on.

You don’t need to login to send emails, just your email address has to be registered otherwise any email will be rejected.

2 Likes