Hi everyone, I was looking at adding a new firewall zone after looking at some people’s questions and would help out in new network setups.
Currently I use the orange network with a few rules added to make the same network zone I want to set up. But if I needed a DMZ I would have to build this extra zone.
Since this zone is accessible across the inside network (green, blue and orange) technically it wouldn’t need a dedicated interface, but it might make sense to do that for organisational purposes and to extend it out on a vlan by itself.
This zone rules would be access to green, blue and orange, deny red.
Color for the zone, I think Gold would be a good color to use.
As an addon would be preferred, The only thing I don’t know how to do yet is make it so the user can select the available interface and ip for Gold0 at the install point.
I think we should discuss this since it effects the group.
But the one global rule I don’t see is an exclusive inside networking.
So Gold would have access to green, blue, and orange, deny red.
then there would be a default network devices and servers not involved with the internet ( CA server, media servers, NTP servers and home automation, ipmi, NAS ) that if needed, could be granted access to red individually.
Also, I been thinking this network could be ipv4 and ipv6, but only ipv4 can access red if assigned to a device. So no 6 to 4 bridge is not needed to be set up.
It would be easier to set up as everything is denied already unless you purposely invert the default firewall rules.
The only additional thing would be displaying this default behaviour in the firewall rules page. Which that would be adding a line and column to the charts that are under the firewall configuration chart.
Also the Gold column would be added to the zone configuration page.
I was thinking just adding one for now as the current setup would suffice 90% of the businesses and residential and adding the fourth one should take care of 9% that have to modify parts of a zone to do the same function that gold would do.
The name devices isn’t written in stone yet, so if you think Inside or IOT or something else would be a better name for it, I’m open for suggestions.
Its been something I’ve been thinking about for quite some time. Since I’m finished for now assisting others with Linux Main, I need to get into the dev loop here and join IPFire’s dev mailing list.