I am a new user of IPFire had have just transitioned from ClearOS which is going end of life this year and I believe some of the firewalling could be a lot easier. Full disclosure - I used to be a (basic) maintainer of ClearOS and I have good understanding of iptables.
I have found the firewall complicated to use as it is trying to do everything in one screen and I can only really get it to work with my knowledge of iptables and using the help screens. It is not something any family member could easily take over if I ever pass on.
Many domestic routers have a very simple Port Forwarding menu. At its simplest, it has a destination (LAN) IP, protocol and port/port range which applies to the external interface. ClearOS also allows you to switch ports, so, for example incoming tcp:2222 can be switched to tcp:22. There is no mention of NAT, of source ports (which are irrelevant) or interfaces. It would greatly help unknowledgeable users to have a simple port forwarding menu something like that, with maybe a source IP field as well.
I have a /29 block of static IP’s, Really using one of them should need a screen little more complicated than a Port Forwarding screen, but should also allow you to specify which of your external IPs to use. Then it should set up the Alias for you and do the port forwarding with the option of any protocol. At the same time it should set up an SNAT rule so outbound traffic is seen to originate from your designated external IP rather than the default interface IP, and a hairpin rule should be set up so the external IP can be accessed from the LAN (it is only needed for the LAN that the target device is on and not the other LANs).
As you have in ClearOS, you could then have a separate menu to open the incoming firewall e.g. for OpenVPN.
I like the Service groups concept but, at the same time, it could be made largely redundant. If the use of “-m multiport” is made use of for all port based rules, including a single port, then the destination port selector in the Protocol section could be opened up to allow up to 15 ports to be specified, like you can in the Services section. Then I think service groups are only relevant for when you have more than 1 protocol that you want to apply the rule to.
I would also need to think about it more, but it may be good if Static Routes also created their own hairpin firewall rule.
Is there a place to have this sort of discussion with the devs?
I concur in many aspects of your post, but I think there is a rather obvious way to do this and it would loosely follow this …
Basic functionality What you need to provide for things to just work in the simplest possible way. Maybe also a bit unsafe and prone to errors if you do not know what you are doing. IPFire “interprets and does the job” as good as possible.
Advanced configuration for settings that are relevant for a more advanced and demanding configuration also with some caveats for existing knowledge and settings. Probably a safer approach and IPFire does not do much “thinking” but assumes you know what you are doing.
So is this not really a double approach that some may deem unnecessary? Yes, probably, but it may help many get going with simpler things.
It does not have to be unsafe. ClearOS does it although it has bugs and creates some bad rules which could easily be corrected if they had a development team left. SOHO routers also do it also allowing blocks of WAN IP addresses to be routed correctly.
Personally I don’t see the need for 2 screens for a single port and port range. Also Source IP could be added.
In ClearOS you have:
and
Again separate port and port range screens, possibly because the single port option allows port switching as well, but that could be covered in the UI such that when a range is entered, the “To Port” is disabled. Technically iptables will allow port switching with ranges as long as the range sizes match, I believe. So I think you can do 9981-9984 to 19981-19984.
I’ve been banned from the ClearOS forums for posting comments that Michael Proper objected to when I challenged his lies. The forums are virtually dead and since I was the main helper there; almost no one gets any help.
NAT
> Use Network Address Translation (NAT) > Destination NAT
> Firewall Interface RED
Destination
> Destination Address > ClearOS IP Address
Protocol
> TCP
> Destination Port > ClearOS “From Port”.
In ClearOS if the To Port is empty the From Port is assumed. This way To Port is interpreted as the original packet destination. In IPFire it is the other way round. Destination Port is the port that the ClearOS “IP Address” is listening on, the To Port. Then if External Port is empty, it is assumed to be the same as “Destination Port”. If External Port is set, it will accept traffic coming into the External Port and redirect it to the Destination Port.
If you are setting up a web server, there is another trick in IPFire. Go Firewall > Firewall Groups > Service Groups and add a new one, like “web_server”. Then an Add: dropdown will appear. Select HTTP > Add, then HTTPS > Add. Then head back to your Firewall Rules > Protocol and for your Protocol, choose “- Preset -” and select your Service Group “web_server” that you have just set up. You then have one firewall rule to cover both ports.
If you are trying to add other ports which don’t exist in the Service Groups > Add: dropdown, such as ClearSDN (tcp:1875), create it first in Firewall > Firewall Groups > Services.
