I have read through the online documentation for the Firewall Rules, several times, and my brain just doesn’t seem to be able to comprehend what rules it needs to add to give the most security and minimal attack surface.
My IPFire box has recently gained an orange interface (192.168.20.1) which has one machine connected to it with IP address 192.168.20.20.
The machines on the green network (192.168.10.xxx) need to be able to access ports 22 (SSH) and 443 (HTTPS) of 192.168.20.20. Port 443 needs to be accessible from the internet via the red interface.
Set the Source entry to Any or RED. Any will allow any network (Internet, Green, Blue and Orange to get access). RED will only allow access from the Internet via the Red interface.
Select NAT and use Destination NAT (default selected).
Then for Destination enter your Orange machines IP (192.168.20.20) into the Destination Address section.
Then for the protocol, select preset and then in the Services drop down box select HTTPS. Then enter a remark, enable the logging checkbox as that can help with debugging. Then press the Add button. Then you should press the green Apply Changes button at the top of the main Firewall Rules page.
You will now have a Port Forward rule that will pass 443 (HTTPS) traffic from the Internet to your machine on the Orange Network.