Blocking access from certain countries is the job of
1 Like
You could setup a location group.
I have Flightaware/PiAware.
I am assuming you want to access the ADS-B flights while away from your network??
I have no outside access to green or orange. I access it via IPsec VPN. Much safer!
If you donât want to use VPN, Iâd still recommend DMZ. And I also recommend moving it from HTTP to HTTPS (443). And doing the country blocks.
Anything to keep out the evilâŚ
3 Likes
I have OpenVPN on TCP 443, for all my other needs, especially when I travel outside US.
I access my ADS-B tar1090 interface on port 80, itâs simpler for me.
No-IP free web address, refreshed automatically.
Thatâs what I am using on ipfire, location block. But if I put my webserver IP on DMZ, I would lose that, wonât I? Isnât location block part of the firewall?
I donât know if Location Block would work. Youâd need to try and monitor the logs.
Iâd use Location Groups and I created a group called badActors_Country. And fill then it with:
Then add a firewall rule:
Make sure you enable Log Rule so you can monitor it for bad actors.
That should work with DMZ.
3 Likes
I thought that the whole definition of DMZ is that by-passes the firewall.
I can add any rules in firewall, but the DMZ devices are not affected by them.
I would never put anything in DMZ.
I have changed now the port from 80 to something else, but thatâs âsecurity by obfuscationâ, and it never paysâŚ
Not in IPFire⌠It is not the same as what you would find in a home router.
You would need port forwards to reach DMZ from the WAN (RED)
2 Likes
I donât know if thatâs right nomenclature then. DMZ is never behind the firewall.
DMZ (computing) - Wikipedia
The purpose of a DMZ is to add an additional layer of security to an organizationâs local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organizationâs network is protected behind a firewall.
per your wiki link.
" (sometimes referred to as a perimeter network or screened subnet) is a physical or logical subnetwork"
I think screened subnet applies here.
The 2 router option applies one behind the other.
Your requirements may very.
The DMZ is only reachable threw firewall rules.
1 Like
The wiki article also âDMZ hostâ, a term in home routers.
1 Like
This is not correct. The firewall and the firewall rules help protect the IPFire DMZ from evil.
I cannot answer for the article referenced or router DMZ. I am sure that is a different type or âflavorâ of DMZ.
This is one of the reasons I encourage you to use VPN.
1 Like
Read the Architecture section of that wiki site.
It describes a dmz in a single firewall where the dmz is connected to a seperate network interface and acces from and to the dmz is controlled by the firewall.
This description covers how the ipfire dmz is operated.
2 Likes
wiki links is not a reliable source for anything scientific.
But the IPFire wiki is the IPFire documentation. For basic definitions you can consult wikipedia articles or âscientificâ books about networking.
BTW: many networking terms are not scientific, but technical ( and sometimes implementation dependant ).
people shouldnât have to consort wikipedia for anything. DMZ is just a set of firewall rules that could be applied to a machine or network. IPfire has a network DMZ, but just like any other network, the behaviour can be altered by firewall rules.
For example, I have my orange network set up as a device network by altering firewall rules to deny access to red from orange.
Surely, you can alter much rules/behaviour/policies.
But with this you just use the official IPFire names for your network interfaces, not the common usage defined in IPFire design.
BTW: wikipedia is nowadays the electronic replacement of a encyclopedia. It is not the famous âEncyclopedia Britanicaâ, but this isnât/wasnât used for alldays use.
2 Likes
I like the concept of the âthe network of colorsâ and applying them as different networking zones. It was the reason long ago why I liked IPCop and why I like IPFire now.
Looking at how other people accomplish this without setting up a multi zone network, it seems most rely on vlans but there is drawbacks to this. One of them is firewalls lacking implementing rules directly on them.