Firewall-Options Default behavior?

berny · 6 October 2022 13:58

Lets assume a IPFire is fresh installed. The red, orange, blue and green LAN is connected. The red connection is to an Access-Router from the ISP. So the red LAN has private IPs. (192.168.x.y/24)

The Firewall-Options in the UI are set to:

Masquerading
Masquerade GREEN Masquerading disabled
Masquerade ORANGE Masquerading disabled
Masquerade BLUE Masquerading enabled

Firewall options for RED interface
Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) on

Firewall options for BLUE interface
Drop all packets not addressed to proxy off
Drop all Microsoft ports 135,137,138,139,445,1025 on

Firewall policy
Default behaviour of (forward) firewall in mode “Blocked” DROP
Default behaviour of (outgoing) firewall in mode “Blocked” DROP
Default behaviour of (input) firewall DROP

Default firewall behaviour:
FORWARD BLOCKED
OUTGOING BLOCKED

================

If I want to connect to a host in the orange LAN from the internet, is a additional rule neccessary?

If I want to connect to the WLAN (The blue LAN) from the internet, is a additional rule neccessary?

If I want to connect to a host in the green LAN via the OpenVPN service from the internet, is a additional rule neccessary?

Is this answered somewhere in the documenation or the wiki?

bbitsch · 6 October 2022 14:06

Your first two questions are answered by wiki.ipfire.org - Firewall Default Policy, for example.

General information can be found in wiki.ipfire.org - Introduction.

BTW: the wiki is the documentation of IPFire.

bonnietwin · 6 October 2022 14:11

https://wiki.ipfire.org/configuration/firewall/default-policy

Also with your setting of

See the sub sections in that link labelled Forward and Outgoing.

Forward Blocked means that the default setting of green being able to access red or blue or orange is now blocked. So every traffic flow, even just to browse the internet will require a Firewall Rule. It is the most secure but requires a lot of work to define all the rules.

Outgoing blocked means that the traffic of IPFire itself will be blocked and requires rules to allow it. So VPN will require rules, using the IPFire web proxy wiull require rules. In the link above this setting is strongly recommended to be Allowed rather than Blocked

jon · 6 October 2022 14:45

this might help:

hvacguy · 6 October 2022 17:13

This is an amazing resource.