Hello IPFire community,
I’m enjoying this firewall and I’m learning how to improve the strength of it.
I have some troubles by configuring the right rules to achieve a positive analysis in “ShieldUP!”, but every time is a failed test (port closed instead of “stealth” and some of these result open)
The rules I’m thinking to use are:
TCP 80,443 GREEN to FIREWALL (a sort of anti lock out from IPFire web interface)
ICMP Type 3,8 GREEN to ALL
ICMP 0,3,11 ALL to GREEN
ICMP BLOCK ALL
UDP 53 GREEN to FIREWALL
REJECT DNS requests from other sources
TCP 21,80,443 GREEN to ALL
TCP 465,993,995 GREEN to RED
TCP\UDP 49152-65535 GREEN to ALL
BLOCK ALL
Someone can help me by “hardening” my firewall? What I’m doing wrong?
Many thanks
In “Firewall Options”, are “Firewall policy” set to “DROP”? That’s “stealth”, in Gibson terminology. If set to “REJECT” it will generate blue boxes in the test.
Blocking ping has little effect. You will be port scanned anyway, and if you have any port open, you will be detected. No matter; it’s just a part of internet life.
Neither OpenVPN nor IPSec, to my knowledge, need ICMP to work. There are sometimes ping options to keep connections open, but that’s traffic to internal IPs, not the external IPs of VPN endpoints.
When I set a firewall rule to block all pings, the IPFire OpenVPN server continually reset the connection ever 60 seconds (may have been 30 seconds). I had to delete the rule.
That’s not any sort of OpenVPN limitation I know of. I am right now connected to an OpenVPN server (granted this is not IPFire) where the endpoint does not allow ping (the UDP port is forwarded to an internal OpenVPN server), and that connection has been open for more than two hours without issue.
However, there are options to ping-restart the connection in the way you describe, but these should be used only for internal IPs.
Hi Marco, I remember in te old forum I asked for blocking the ICMP, and I still remember that @ms told me how, but sadly I can’t get to that old forum and I can’t find a hint for that nider on my pc.
If it’s a way to get to the old forum from ipfire i am shure you could find it.
Don’t believe that you are invisible if you block ICMP. If you block it the attacker get no answer which indicate that you exist, because with a not existing IP the router before your ip will answer with an error message. So even if you drop ICMP you will detected.
Blocking ICMP create other problems such long timeouts or breaking connections. ICMP is also used to
determine the optimal packet size so blocking it is dumb.
Now you let me thinking, I remember I did something like on the link I shared, I think was some pro and cons to do it, as I know you’re (@arne_f ) also one of the dev of ipfire.
What would someone like @marcvs do/learn from this kind of website?
I did that in my beginning of ipfire to because the router that my ipfire replace was doing it to.
Now a day, that setting is somewhere in my backup I am guessing as I did that once, and in all the updates and problems that I had, I never needed to did it again…
It will only be in your backup if you added /etc/sysctl.conf
to your /var/ipfire/backup/include.user file.
Whether it stays there or not during any Core Updates will depend on the changes made in the Core Update. As sysctl is related to setting kernel parameters during run time it could be possible that kernel changes might result in the file being set back to standard as part of the update.
Exactly, that’s why I am thinking , because that means, why if I didn’t change or adjust it, ipfire is still stealth when i do the same test and @marcvs don’t?
I am not a someone that likes/love to do things in the kernel lvl and if I do it, i mostly forget to do it after a update.
When i did that was long before we have community.ipfire.org, it was in time of forum.ipfire.org ( the old forum) so its before 2018 wich for sure now is my kernel default again…
iptables -A CUSTOMINPUT -i red0 -p icmp --icmp-type echo-request -j DROP
to the start and
iptables -D CUSTOMINPUT -i red0 -p icmp --icmp-type echo-request -j DROP
to the stop section in /etc/sysconfig/firewall.local
(replace red0 by ppp0 if you not use a ppp dialup connection)
and set “Default behaviour of (input) firewall” to drop in firewall options then this tests will passed.