Firewall up&run but hardened?

Version 171. Works smoothly. But is the Firewall hardened or complacent? Internet accessed via 4G LTE FritzBox then IPFIRE RED then BLUE Wireless to Home Computers. Use of GREEN from Desk. Policy is Blocked/Dropped. DNS is UDP. Note checked boxes HTTP and HTTPS. Is Squid maximized?

Firewall rules 10 and 11?
This looks like you may have opened your WUI to the red network.
Perhaps sources network green to 444

You can reed about network groups.
You could consolidate rule 5,6,7,8
Into a network group and have 1 firewall rule.

The Proxy is not my area of expertise.
If I have one in networking?

But block all not addressed to proxy sounds
Like hardening to me.

Incoming firewall access.
Don’t think you should need this.
If you do than limit it to the firewall itself.
This looks like you have a open port from the internet no port 80, and 443

1 Like

I would suggest changing your DNS communication to use TLS protocol as this means any queries are encrypted.

1 Like

IPFire TLS works well but it does not connect VPN/Wireguard. In the future, I may drop VPN/Wireguard and rely on TLS/DNSSEC.

The problem with the Firewall is an error updating the Block List. What might cause that?*

This error message indicates that the attempt to download from the URL for those specific blocklists had some form of download error. It indicates that a connection was made to the URL but that during the download some issue happened.

I just tried one of the URL’s and I was able to successfully access the blocklist.

If you try this out in a browser only try it once and then not again for at least 5 minutes otherwise you will get your IP blocked by that blocklist provider as there rate limit is set to no more than every 5 minutes.

When I tried that url I got the following page.

The fcron updater runs every 15 minutes. If you look in the System Logs page and select the IP Address Blocklists entry from the dropdown box are you still seeing the error messages if you get a similar page shown as in the above screenshot.

If you don’t see the list of IP’s what message is being shown in the browser?

The computer connected to the https feodotracker immediately. The System log as before shows errors, and 800 hits.

If you are able to access the url via a browser then I don’t understand why it is not working with the IPFire code.

Those FEODO lists were all successfully downloaded for me when I tested them yesterday.

Just to check can you confirm that the urls for the three FEODO lists are as follows

FEODO Recommended - ‘url’ => ‘’,
FEODO IP - ‘url’ => ‘’,
FEODO Aggressive - ‘url’ => ‘’,

These can be checked in the file /var/ipfire/ipblocklist/sources

putting those three URLs into the browser connects. The next check is to remove the TLS configuration on the Fritz box. Additional the Firewall log is blank, The IPS Log is blank, URL Blacklist does update, And System Log DNS Unbound reports more than 50 failures:
info: validation failure < A IN>: No DNSKEY record for ke y while building chain of trust
00:27:12 unbound: [3840:0] info: validation failure < A IN>: No DNSKEY record for ke y while building chain of trust
00:42:10 unbound: [3840:0] info: validation failure < A IN>: No DNSKEY record for ke y while building chain of trust

openDNS was a DNS Server. After removing it, the pages connect from the IP Address Blocklists area of IPfire which they did not do aprior - though they connected from the browser.


See this wiki link that mentions issues with opendns

They are on the Not Recommended list in the wiki.

1 Like

Actually I had read that but gave Iffier and OpenDNS a chance with v171! However, once again the Feodo are blocked. Turned Intrusion Protection off and Feodo connected (through IPFire). Turned the IP on and still Feodo connected. Conclusion: a fault in IPFire. As of now Feodo connects but the conclusion is Feodo will not connect tomorrow.

Turned Intrusion Protection off and Feodo connected

Did you check IPS logs and settings?

The log is empty and the settings normal. Turned off Strict DNSSEC and Feodo from IPFore connected. Will check again tomorrow. DNS Servers are

The next day. That did not work either. However the failure rate was 33 tries previously it was 90. Next try will remove all DNS server and let IPFire contact the ISP directly. That defeats the entire purpose. The image:

That change did not work. Why is the machines IP Out Of Subnet?

Do you mean IPFire’s blue IP?
It is element of the blue network! And not an element of the dynamic range for blue of the DHCP server, what is good!

Your BLUE network (

network address
broadcast address
IPFire address
DHCP dynamic pool    { ...}
IPs for fixed leases {, ...}

Hmm. OK.
Still looking for the reason/repair of the Feodo failure. .

What is the importance or non of Not Validating?

‘not validating’ just means, that the DNS server doesn’t use DNSSEC.
See - List of Public DNS Servers ( bottom of page ) and - DNSSEC.
Also recommended Michaels blog article ( from 2020! ).


The rDNS failure requires which Firewall Rule?