Blog Firewall configuration recommendations

eddie · 28 February 2023 19:30

This blog describes the scenario in which all outgoing traffic will be dropped by default.
So I’m reading this blog and have a few questions.
Just to be sure, the rules for DNS, NTP. ICMP, HTTPS (updates) and WHOIS are
– from Firewall RED (ip address)
– to a host group that consists my DNS servers (for instance)
In case of WHOIS and ICMP, the destination is standard networks RED
– with the relevant service group.
Right?

In the IPFire OpenVPN wiki I read that the needed firewall rules for OpenVPN roadwarrior are automatically created, while this blog states I should create them. What to do?

What rule should I create for using dynamic DNS service. (From what, to what, using what port.)?

Regards,
Edwin.

jon · 28 February 2023 22:25

Hi Eddie!

Can you tell us which blog you are reading? Adding the link (or links) to the article you read would help us.

Thank you!

hvacguy · 1 March 2023 00:20

Probably this one.
https://blog.ipfire.org/post/firewall-configuration-recommendations-for-ipfire-users

eddie · 3 March 2023 20:44

Hi guys,

Sorry for my late response. I couldn’t login on this forum for some time and than corona decided to pay us a visit. All okay now,

Yes, that’s the blog I meant.
My first question seems to be answered here. So the answer to " Right?" is " Yes" if I interpret it al well. But:
I already configured the webproxy and it works well. Windows computers do pickup the proxy.pac, on android phones I had to configure the proxy manually.
I applied the rules for DNS, NTP etc. When I change the default forward and outgoing behavior to Drop, internet browsing isn’t possible anymore. So there is still something not done right.
I do see the firewall make connections to my DNS servers (DNS watch).

On the other questions (OpenVPN, DDNS) I didn’t find an answer yet.

Regards,
Edwin.

jon · 4 March 2023 00:01

This might help. Keep in mind the blog article is almost three years old and a few things have changed.

Blog: DNS traffic to configured DNS servers
Make sure DNS is working first before continuing.

Blog: NTP traffic to configured NTP servers
The example in this wiki page is for NTP.

Blog: ICMP traffic for flow control and debugging/administrative purposes

It has been too long since I attempted this. Maybe leave this one off the list short term unless someone else can assist.

Blog: HTTPS traffic for fetching updates

I think a change was made to the IPFire update servers and they all run HTTPS only. Nothing needs to be done on your side.

Blog: WHOIS traffic for administrative purposes

This one I am not sure how to answer. Hopefully someone smarter will be able to respond.

I do not remember any OpenVPN firewall needed. Hopefully someone else will chime in.

tphz · 4 March 2023 07:52

Do you think about the following phrase?

Keep in mind additional firewall rules are required for establishing IPsec or OpenVPN connections and using dynamic DNS services or downloading IPS rules, if you have not allowed HTTPS traffic to the respective countries.

eddie · 4 March 2023 23:57

Thanks @Jon for the links. I had only DNS configured in dchp for the clients, that might not have been enough. I will configure the redirects and see if that helps.

Thanks @iptom for pointing that out, I missed that. So that means if I do not block, let’s say, my country, OpenVPN to my IPFire firewall from within my country should work. No extra rules needed.