I have ipfire running and everything appears to be preconfigured with the basics.
I just want to confirm while I get a grip on the terminology and settings, does ipfire come preconfigured “ready for home network” firewall out of the box? i.e. are red to green packets dropped by default if not associated with a green to red connection?
It appears to function this way but I would expected to see the details in firewall rules, where there is nothing.
Welcome
Here is a good read.
Such rule is not needed because of the network address translation.
An incoming connection on red never has a target in green except there is a rule that redirect the port to green. (Destination NAT)
I was forced to break my mental association between masq and stateful firewall operations in learning ipv6.
In doing so, I was left to question whether masq ever did provide protection at all in the way that I thought it did. I take it you are saying it does.
Here there is listed a table of the “Default zone ruleset”
Is this a hidden ruleset of actual stateful firewall rules or is this just a table showing the logical outcome of the masq rules?
I don’t understand why the default ruleset would not come pre-populated in firewall rules, as rules to be edited.
both, depending on the rule. From red to green, orange and blue the absence of a DNAT leads to this outcome. All the others are rules, I think.
because it will be a high caliber foot-gun. At least it looks like that to me. Those rules are probably better not to be touched unless you know what you are doing. And if that’s the case, you know how to use the console to change the firewall.
Edit: even if you know how to modify the firewall using the console, the developers have prepared for the user some specific chain to this end. I would assume that it is better to follow their lead.
I usually expect to find the foot gun in software like this so that I can see where it is and not touch it.
When I can’t find it, I get afraid that it comes with the foot already shot.
I understand and share your feelings. I have the same attitude. However, I would also not show those rules and allow them to be modified in the WUI if I were to decide myself how to implement a firewall. In other words, I understand the user interface choices made by the developers.
This is how I managed to see the gut of the firewall in the command line.
You can list the whole iptables rules using the command:
iptables-save
if you want to save the output on file to examine it with an editor:
iptables-save > my_iptables.txt
if you want to see only the tables, you can use this grep filter
iptables-save | grep '\*.*'
which will list the five tables:
*security
*raw
*mangle
*nat
*filter
each table contains the chains, grouped by similarity. If you want to list the tables followed by their chains, you can use this more complex grep filter:
iptables-save | pcregrep -Mo "(?s)(?<=#\s)(.*)(?=#\s)" | grep -e ":.*]" -e "\*"
this will give you the list of the tables, followed by their respective chains (starting with a :), for example:
*security
:INPUT ACCEPT [1250754:1319969297]
:FORWARD ACCEPT [1957707:1623612394]
:OUTPUT ACCEPT [675073:298049594]
*raw
:PREROUTING ACCEPT [20999204:18194585088]
:OUTPUT ACCEPT [3129983:1980078437]
*mangle
:PREROUTING ACCEPT [20999169:18194580311]
:INPUT ACCEPT [4782692:4059878676]
:FORWARD ACCEPT [16207725:14134421571]
:OUTPUT ACCEPT [3129976:1980076781]
:POSTROUTING ACCEPT [19364163:16115312157]
:NAT_DESTINATION - [0:0]
[...]
if you want to see the tables, followed by the chains, followed by their rules
iptables-save | pcregrep -Mo "(?s)(?<=#\s)(.*)(?=#\s)" | grep -e ":.*]" -e "\*" -e "-" | grep -v "#\s"
Apologies for the complexity, but I could not find an easier filter. However It does the job.
You can see an outdated but still relevant flowchart of the chains implemented by IPFire in this wiki entry.
If you want to understand the IPTable inner working, this is the best reference I could find.
This is a generic and more updated flow chart of IPTables.
Also if you go to the WUI menu Firewall - iptables then you can see the rules for each of the chains which you can select from the drop down boxes.
I never understood why that page is showing only NAT and MANGLES tables and not also the other 3. However, all the chains are shown in the first drop-down menu.
The page shows all 3 tables. The first is the ‘standard’ filter table.