Firewall configuration recommendations

Per the blog post: https://blog.ipfire.org/post/firewall-configuration-recommendations-for-ipfire-users

Taking care for all of these services usually requires about five firewall rules, and since they often depend on the network environment, we unfortunately cannot ship a default ruleset suitable for all (or even the majority of the) IPFire users

I know I am being a whiny little cry baby but it would be helpful to have some screen shots of example rules with explanation addressing these configuration recommendations

[edit] I understand that creating firewall rules is intuitively obvious to some (many) but I tend to struggle – even when I think I know what I am doing.

2 Likes

IMHO, while i read your posting, i think especially in this case i dont like an additional screenshot. There is a big chance that all what a unexperienced user gain from it, he/she is able to “tick a checkbox”

All what you need you find already in the wiki. A little bit commitment and understanding is really important here.

What should happen if not all works on your first try after you change to block and you do your first try with a rule. The only what can be, it works :wink: or it stay in blocked. So try again.

2 Likes

You want to learn firewall? Study TCP IP. Then create rules.
Otherwise…

Okay, I obviously asked for way too much coddling and hand-holding. I’m not looking to be a firewall guru – I have a simple Red-Green-Blue home setup. I was hoping for a gentle little nudge in the right direction. Thanks for the kick in the gonads, I fell much better now :cowboy_hat_face:

2 Likes

I agree! I thought the same thing when reading this blog.

Either this or add a new blog for beginners about firewall rules in general. With images! I use very few rules since I can never get them to work correctly.

Prepare for a kick in the gonads :grinning:

2 Likes

@cbrown @jon

You both should see this as a personal driving license. You can only learn real driving if you do it on your own and not if you only sits besides and watching the driver :wink:

2 Likes

Not brave enough to attempt on my home network.
Do not wish to be a full time fire wall admin.
But was considering an revamp to my network.
Perhaps re enable mac filter on BLUE.
Maybe no AP on GREEN.

Hi,

sorry for the late reply. The blog post lacks screenshots on purpose, for reasons already pointed out by @tulpenknicker. Personally, it is hard to find a balance between make using IPFire as easy as possible in order to be helpful to as many people as possible, but do not oversimplify it at the same time.

This being said: If any questions appear while setting up specific firewall rules, I (or somebody else, whoever responds first :wink: ) will be happy to answer them.

Thanks, and best regards,
Peter Müller

2 Likes

Thanks, @pmueller

Having read through the blog post a few times, perhaps I’ve recovered a bit from being initially overwhelmed with confusion and despair. Here’s the questions that came to mind on the last pass:

  1. Am I correct to assume the rules to allow essential connections for IPFire itself would have “Source” as “Firewall” and the red interface?

  2. I’m using DNS over TLS – using servers from the Wiki. So I would need a rule allowing TCP traffic to any IP Addr, destination port 853. Would it be advisable to limit the IP Addrs to a group for the rule?

  3. For NTP, it would be necessary to allow UDP traffic to any IP Addr, destination port 123, okay?

  4. For ICMP, allow traffic for type 8. Is it advisable/risky/recommended to allow others or all types?

  5. For HTTPS fetching updates, allow TCP traffic to any IP Addr, port 443 – or should this be limited to group of mirror IP Addrs?

  6. For WHOIS traffic, allow TCP traffic to any IP Addr, destination port 43, Okay?

Any guidance here would be appreciated.
Thanks again,
Charles Brown

1 Like

Are you using the internal Proxy?
Do you have a block all not addressed to proxy rule?

No, I’m not using proxy.

I’m simply trying to follow the blog post recommendation about changing “forward firewall” and “outgoing firewall” policies to “blocked”

Ok.Assuming you block all. Green no access to WAN
You will have to open ports for different devices based on their needs.
If their are lots of similar devices with the same port requirements you can make them part of
a service group to to simplify your firewall rules.
PC web surfing Port 443 Possibly port 80 too.
May need on rule for DNS< NTP etc. to fire wall ( not WAN ) for devices.
Have not done this myself. Yet.?

@cbrown

How can I best phrase this without you make feeling bad again?

Noone gave you a picture and you want now talk, without trying anything, about all 5 rules :wink:

Because it seems you dont have anything tried, and it seems you have not very carefully read the manual, you dont noticed that on a very early stage ( you first question 1) your mission are broken / not complete.

Hint: Thats not enough if you dont use the proxy.

Because the above, i dont want help at this stage. (Thats maybe not so important because you asked Peter for help :wink: )

I’m not doing this to torture you :wink: Edit: Especially this last comment iam not sure if this can be misterpreted because my english knowledge is not the best. Its important for me that you not think i mean it should all be complicated and it should hurt and so on. I dont like to torture you!

I think you should do this on a practical base not only on theory.

May i ask you why you not want use proxy?

Thank you, @Tulpenknicker, for your help so far. I am not overly offended by your somewhat harsh treatment. Heck, some people pay extra for that … but typically to a dominatrix. I will be happy to go with the proxy thingy when I get there. So far, I was simply trying to understand the initial blog section with respect to default policy change and getting essential firewall services talking. I’ve been on travel away from my IPFire box. When I get to it, I will start play around a bit at off-hours so as not to perturb my user/spouse. My naive misunderstanding of everything in the blog and the wiki can be somewhat attributed to my ADHD, Dyslexia, and mild Autism … but also to my general sloth and lethargy. I’ll try to be more of a good-boy before posting again … but don’t be too annoyed if I still come across as the novice that I am. Hopefully any subsequent discussion on this topic can be helpful to others that my be too timid to risk your wrath :sunglasses:

This was not intentional but increases the chance that you fiddle arround with the settings :wink:

Never ever have i wrath :innocent:

So if you at the moment not want using the proxy i suggest you think over if you maybe not split this project into 2 parts. You first only block Forward Firewall. You have then enough to figure out. The only “problem” is, afterwards you have to think after using proxy to delete the unnecessary rules.

The goal should be use all together with proxy and Url filter.

Hi,

Having read through the blog post a few times, perhaps I’ve recovered a bit from being initially overwhelmed with confusion and despair.

that’s good to hear. :slight_smile:

  1. Am I correct to assume the rules to allow essential connections for IPFire itself would have “Source” as “Firewall” and the red interface?

Yes, this is correct. There seems to be a glitch (#11932) regarding the DNS rule which requires the source interface set to any, but I did not had enough time to investigate further.

For any other rule, the red firewall interface is fine.

  1. I’m using DNS over TLS – using servers from the Wiki. So I would need a rule allowing TCP traffic to any IP Addr, destination port 853. Would it be advisable to limit the IP Addrs to a group for the rule?

Yes, since your DNS servers do not change that often and there is no legitimate reason why your firewall should query other DNS resolvers.

  1. For NTP, it would be necessary to allow UDP traffic to any IP Addr, destination port 123, okay?

Yes.

  1. For ICMP, allow traffic for type 8. Is it advisable/risky/recommended to allow others or all types?

Allowing ICMP type 8 is correct. Some other ICMP types are risky, and since ICMP messages related to established connections will be handled automatically, there is no need to allow additional ICMP types.

  1. For HTTPS fetching updates, allow TCP traffic to any IP Addr, port 443 – or should this be limited to group of mirror IP Addrs?

Destination port 443 (TCP) is correct. Setting up an IP address group is more secure, but also more laborious. Personally, I would advise in favour of doing so.

  1. For WHOIS traffic, allow TCP traffic to any IP Addr, destination port 43, Okay?

Yes.

Just drop me a line in case of further questions. :slight_smile:

Thanks, and best regards,
Peter Müller

I want to share a little bit my thoughts why i still think that this is the perfect opportunity to gain so much knowledge while you work the most part alone on this project and ask yourself the following questions.

This goes not directly to @cbrown but i use his points because he covers nearly all things whats to be done (if you use proxy)

Am I correct to assume the rules to allow essential connections for IPFire itself would have “Source” as “Firewall” and the red interface?

  1. Thats a perfect example from my posting above. Because all is blocked it doesnt harm if you find out while you fiddle with the settings. More fiddle more gaining experience more goes into the correct direction.

I’m using DNS over TLS – using servers from the Wiki. So I would need a rule allowing TCP traffic to any IP Addr, destination port 853. Would it be advisable to limit the IP Addrs to a group for the rule?

  1. A search how works a dns server? is it enough if i ask only my dns server? do it maybe all the magic stuff for me? so can i limit it only to my dns servers? So i can limit it to a group of my used dns server?

For NTP, it would be necessary to allow UDP traffic to any IP Addr, destination port 123, okay?

  1. Is it really necessary to send ntp to every ip? maybe there are ntp server out without pool anywhere who have since a very long time the same ip? so maybe you can make a group also for it?

For ICMP, allow traffic for type 8. Is it advisable/risky/recommended to allow others or all types?

  1. As a rule of thumb less is more. Nearly the same as always. All is blocked, why not start with less as possible? is it possible to complete block ICMP? also for IPF?

For HTTPS fetching updates, allow TCP traffic to any IP Addr, port 443 – or should this be limited to group of mirror IP Addrs?

  1. HTTPS, is it enough if you limit to the mirrors? Covers this also the HTTPS traffic from proxy? is more needed or not?

For WHOIS traffic, allow TCP traffic to any IP Addr, destination port 43, Okay?

  1. Diffrent top level domains diffrent whois? so maybe better to send to all ip?

Maybe you can now better understand why i behave so. I think the learning efect is much higher if you do it my way. And not gets any question answered before you go your first steps alone. And you must not be a firewall guru or a expert :wink:

I wish i had this posted much earlier…(before @pmueller :wink: )

Hey folks,

Sorry to resurrect this thread, but I thought it was the best place to ask my question as it is related. So I have built a test machine to play with Ipfire without getting the house hold members coming after me with torches and pitchforks while I test implementing these recommendations. I started this process with core update 149, and started implementing the firewall configuration changes. I decided to test each service before moving on to the next service. I configured DNS rules and got it up and running. Then got NTP up and running, so things are looking good. Next I tried HTTP and HTTPS service, with all working. In fact, I pointed pakfire to point to the testing repository and upgraded to core 151 with success. ( And did not mind as this is a test machine.) Next I set my sites on getting WHOIS traffic up and running, and this is where I ran into trouble. If I picked the firewall rules as follows:

Source: Firewall (either any or red)
Destination: Standard Network: red
Protocol: TCP, Source port: 43, Destination port: 43

I get an error that says: “Unable to contact whois.arin.net” when I check connections that my PC has made with the outside world. After much experimentation I got the following to work.

Set up a Service called whois that uses TCP, with a source port of 43 and a destination port of 43.

Then make a Service Group called “port 43” using the service called whois. Then set the following firewall rule:

Source: Firewall (either any or red)
Destination: Standard Network: red
Protocol: Preset, Service Groups: port 43

And WHOIS traffic works. I thought I was getting the hang of setting up firewall rules, but there is something I clearly do not understand. Some help would be very appreciated. It seems to me that both setups are equivalent, so why does one work while the other does not.

Thanks much