@sec-con Regarding the security of a SOHO network safeguarded by IPFire, here’s my perspective. Open ports denote active services that could become potential attack vectors. These services could be running on the firewall or on any device in the protected (green/blue) network. However, I don’t factor in the orange zone, which remains separate.
In a standard IPFire setup, the primary threats don’t come from the firewall itself—save for OpenVPN or IPSec, which, if correctly configured, pose little risk. Rather, the significant threats stem from potential malware within the protected network.
To mitigate these risks, scanning for open ports targeting IPFire from the external (red) interface (which you did) is a necessary step. However, this approach can’t fully eliminate the threat posed by time-activated malware or port-knocking configurations, among other tactics.
Thus, for the best security when leaving your network unattended, you could consider disconnecting the entire protected network from the external interface.
In general, comprehensive network security should also include control over running services, up-to-date software, and user behavior awareness, along with implementing intrusion detection and prevention systems.
A thorough scan for open ports that target IPFire from the external red interface can be done using nmap An example command might look like this:
nmap -v -sS -p- IPFIRE_PUBLIC_IP
The ‘-v’ option increases verbosity for more detailed feedback, ‘-sS’ initiates a SYN scan (which is less likely to trigger IDS/IPS), and ‘-p-’ instructs nmap to scan all 65535 ports. Note that this command should be run from an external host connected to the WAN side and it should be done with the full approval of the owners of the machine and network.
Keep in mind that without a port forward rule, there is not going to be any open port, therefore the nmap will always come up negative in absence of explicitly NATted ports. However, a malware can initiate a connection from inside the network, and this is in my opinion the most likely threat model to consider, as I said before.