This blog describes the scenario in which all outgoing traffic will be dropped by default.
So I’m reading this blog and have a few questions.
Just to be sure, the rules for DNS, NTP. ICMP, HTTPS (updates) and WHOIS are
– from Firewall RED (ip address)
– to a host group that consists my DNS servers (for instance)
In case of WHOIS and ICMP, the destination is standard networks RED
– with the relevant service group.
Right?
In the IPFire OpenVPN wiki I read that the needed firewall rules for OpenVPN roadwarrior are automatically created, while this blog states I should create them. What to do?
What rule should I create for using dynamic DNS service. (From what, to what, using what port.)?
Sorry for my late response. I couldn’t login on this forum for some time and than corona decided to pay us a visit. All okay now,
Yes, that’s the blog I meant.
My first question seems to be answered here. So the answer to " Right?" is " Yes" if I interpret it al well. But:
I already configured the webproxy and it works well. Windows computers do pickup the proxy.pac, on android phones I had to configure the proxy manually.
I applied the rules for DNS, NTP etc. When I change the default forward and outgoing behavior to Drop, internet browsing isn’t possible anymore. So there is still something not done right.
I do see the firewall make connections to my DNS servers (DNS watch).
On the other questions (OpenVPN, DDNS) I didn’t find an answer yet.
Keep in mind additional firewall rules are required for establishing IPsec or OpenVPN connections and using dynamic DNS services or downloading IPS rules, if you have not allowed HTTPS traffic to the respective countries.
Thanks @Jon for the links. I had only DNS configured in dchp for the clients, that might not have been enough. I will configure the redirects and see if that helps.
Thanks @iptom for pointing that out, I missed that. So that means if I do not block, let’s say, my country, OpenVPN to my IPFire firewall from within my country should work. No extra rules needed.