Firewall-Options Default behavior?

berny · 6 October 2022 13:58

Lets assume a IPFire is fresh installed. The red, orange, blue and green LAN is connected. The red connection is to an Access-Router from the ISP. So the red LAN has private IPs. (192.168.x.y/24)

The Firewall-Options in the UI are set to:

Masquerading
Masquerade GREEN Masquerading disabled
Masquerade ORANGE Masquerading disabled
Masquerade BLUE Masquerading enabled

Firewall options for RED interface
Drop packets from and to hostile networks (listed at Spamhaus DROP, etc.) on

Firewall options for BLUE interface
Drop all packets not addressed to proxy off
Drop all Microsoft ports 135,137,138,139,445,1025 on

Firewall policy
Default behaviour of (forward) firewall in mode “Blocked” DROP
Default behaviour of (outgoing) firewall in mode “Blocked” DROP
Default behaviour of (input) firewall DROP

Default firewall behaviour:
FORWARD BLOCKED
OUTGOING BLOCKED

================

If I want to connect to a host in the orange LAN from the internet, is a additional rule neccessary?

If I want to connect to the WLAN (The blue LAN) from the internet, is a additional rule neccessary?

If I want to connect to a host in the green LAN via the OpenVPN service from the internet, is a additional rule neccessary?

Is this answered somewhere in the documenation or the wiki?

bbitsch · 6 October 2022 14:06

Your first two questions are answered by wiki.ipfire.org - Firewall Default Policy, for example.

General information can be found in wiki.ipfire.org - Introduction.

BTW: the wiki is the documentation of IPFire.

bonnietwin · 6 October 2022 14:11

https://wiki.ipfire.org/configuration/firewall/default-policy

Also with your setting of

See the sub sections in that link labelled Forward and Outgoing.

Forward Blocked means that the default setting of green being able to access red or blue or orange is now blocked. So every traffic flow, even just to browse the internet will require a Firewall Rule. It is the most secure but requires a lot of work to define all the rules.

Outgoing blocked means that the traffic of IPFire itself will be blocked and requires rules to allow it. So VPN will require rules, using the IPFire web proxy wiull require rules. In the link above this setting is strongly recommended to be Allowed rather than Blocked

jon · 6 October 2022 14:45

this might help:

hvacguy · 6 October 2022 17:13

This is an amazing resource.

cbrown · 19 January 2024 13:15

I am curious about the sequence of drop processing here. Does the Drop all Microsoft ports happen before or after the iptables chain entries created by the Firewall Rules page?
I would like to select to Drop all Microsoft ports but I have a couple of blue laptops that need access to a Linux samba server on green. Is it possible to enable the firewall option to block all MS ports and then create a rule to explicitly allow TCP port 445 to green for specific blue MACs?

bonnietwin · 19 January 2024 13:23

From my looking at the code recently i believe the firewall options occur before the firewall rules page.

So you would need to turn off the drop microsoft ports option and create your own rules to allow through the two laptops and then block everything else.

trash-trash · 19 January 2024 13:59

When Masquerade is disabled, and the IPs of all are set right to same subnet, you will not need to set pinhole.
Idea is the same as you configure an Router, to work as an Access Point … WAN side.
RB
Trash