How to firewall rule webserver on GREENZONE? - debug mode


my hardware (odroid h2) only has 2x LAN NICs (RED, GREEN Zone)

is it possible to run a webserver in green zone? (port 80, and 443 should be accessible via firewall and (NAT?) forwarded to (webserver))

webserver is working & tested

tried to create a firewall rule

this might be helpful one-liner for debugging problems and firewall rules:

  1. enable ssh

  2. login

find /var/log/ -type f ( -name "" ) ! -path '.gz*’ -exec tail -n0 -f “$file” {} +

as it showed me:

==> /var/log/messages <==
Jun 11 13:00:14 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=00:1e:06:45:… SRC= DST= LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=13153 DF PROTO=TCP SPT=58756 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0

EDIT: Please attach images within the post instead of using an outside website.

Looks like it should work.
Try Source red or any instead of firewall.
In the network section.
Not sure firewall is the same as red.


please refer to this wiki page for instructions on how to create a port forwarding.

Thanks, and best regards,
Peter Müller


Before coming to the answer, I need to make few premises.

A destination NAT or port forward makes sense only when you have incoming traffic from the public internet IP space directed to a machine sitting inside a local network. Meaning having an IP located in one of the private ranges allocated for this purpose (e.g. In this case, it is necessary to have a gateway of sort (like IPFire) in front of the final destination intercepting that traffic and redirecting it to the local IP where the packets are supposed to go (based on the port number).

This premise has one major implication. You do not need any DNAT rule if you want to make a web server in the green zone accessible to any other machine in the same network. That’s because there is no need to forward the traffic, as anyone inside the network knows where the traffic should go, including any switch you are using.

One more premise. In IPFire firewall web user interface, with the term “firewall” in source or destination you refer to the IPFire machine itself, or more specifically to a process running on IPFire. For example, if you want to allow the unbound DNS server to be accessible, you create an allow rule where as a destination you put “firewall”.

Finally I can come to the point of your question. As a source, you do not specify “firewall” because you are not opening a DNAT for a process running on IPFire, but for some machine coming from Internet, hence the source should be the red interface. In the NAT section you specify “automatic” as the firewall interface. The rest seems to be all right.

One comment. Are you aware that what you want to do is a very bad idea, as it will almost entirely invalidate the usefulness of a firewall in the first place?

When your web server will be hacked using one of the billion of exploits available, the attackers will have an highway access to any other machine in your green network. That’s why there is the orange zone available. You should put any machine you intend to have hacked some day in the future (also called web server for brevity) in there. In other words, you do not use a computer like the odroid with only two ethernet ports as a firewall, if you intend to have behind it a machine that will be hacked in the future. You use instead 3 ethernet ports, or you use a layer 3 switch and make use of the VLAN functionality available on IPFire.


To allow internet clients to connect to your internal web server, change the Source to ‘Standard networks → Any’. (you have ‘Firewall’ in your screenshot).
Once it works you can tighten down the allowed internet clients by using Firewall Groups (location, hosts, networks) instead of Any.

Then in your port forward rule:
Under Protocol, do not specify a source port (you have 80 in your screenshot). That will not work.
Source ports are usually random high ports chosen by the client (never 80).
Only the Destination Port 80 needs to be set which will forward port 80 from external to internal.
If you want to forward a different external port eg: external 8080 to internal 80 set it in the External Port (NAT).


that did the trick, thanks Paul :grinning:

1 Like