Hello,
Is there a way to permit loopback connection in the firewall from green to red to green?
I want to GeoBlock a port but permit any connections from inside if they use the external IP address (laptop connected with a wire to the LAN for example). Before getting down to firewall.local, I would like to know if there is a way through GUI, so far I did not succeed.
Hello Dominic,
sorry i do not understand what you want. Can you explain your problem a little bit more?
What I understand:
- you will Geoblock a port - ok nothing special
- permit internal connections if the connection use the external IP - what does this mean?
If you connect your laptop to the green interface (internal) to ipfire the system will use your external (red) address to connect to external systems. So I do not understand what should block your connection.
Best
SIlvio
For example, red is 194.94.94.94, laptop is at 192.168.0.30 and the server is at 192.168.0.10. Port 80 is geo-blocked so that only USA can access it. I want to access port 80, from laptop to server no problem, but from laptop to red, it does not work if that port is geo-blocked, since it comes from green, not being recognized as any country in the geo list.
What rule can I add to permit green through red to that port on the server?
So you will access ports on your external interface from your internal network?
The server is in your internal network and what you will do is a port forwarding. You have to forward all traffic which is allowed from your red interface port 80 to your internal server port 80.
BUT, I think this is not a good security planing.
I would prefer to install a additional network card and create a DMZ. You can configure this card as orange and use the server from green and red but you do not open up your secured (green) network.
Best
Silvio
1 Like
Sorry, no, it has to be the same external IP, otherwise every laptop and phones would have to have two shortcuts. From the same connection IP, I want to be able to access the server from outside or inside, being protected by geo-block for foreign countries.
So my understanding is that the GUI does not permit it, so I will have to write iptables command within firewall.local.
It has always the same external IP. You have only red and only this is your external IP.
You will have:
red - external IP
green - internal network with IP range
orange - second internal network IP range
Silvio
1 Like
As you can see in the Wiki, the DMZ system addresses are also translatet via NAT.
Why do you think you have another external address?
Silvio
Have you read the wiki pages?
The Port-forwarding wiki describes how to setup the rules over the GUI…
Silvio
1 Like
I am sorry, you are not following me, maybe you are not taking enough time to read and understand because you have so much to do…
I will create iptables within firewall.local, it will do this way what I need.
Hi Dominic,
sorry that i do not understand your idea or thinking, but i have taken the time to think about that you wrote.
My understanding was that your goal is to use only one shortcut on every device you have. For this you will use your external IP as target IP and this should work if you are inside your network or outside.
What i do not understand is why you think this is not possible with a DMZ.
Best
Silvio
And the DMZ can be filtered by country also?
Hi,
What i do not understand is why you think this is not possible with a DMZ.
having skimmed through this thread, this remains unclear to me as well. 
And the DMZ can be filtered by country also?
Basically, yes. If I understood your issue correctly, you could create firewall rules permitting
traffic from internal networks to your DMZ, while restricting the same firewall rule for RED to
certain source countries.
Or did I misunderstood you here?
Thanks, and best regards,
Peter Müller
I think you should think on another way:
Use a DNS name, probably a DynDNS Name.
And you need a internal DNS entry. If you don’t have a own DNS server you can use a host entry at IPFire.
Example:
DNS Name: sgjhhsdfjhgfajkhf.myfritz.de
red - internet: 18.200.10.20
green - internal: 192.168.1.10
Your notebook get every time the right DNS name resolution, internal and external.
This is named “split DNS”
This is actually a good suggestion! I often do this trick for mail servers, so that traffic does not go through the router for nothing.
In this case, it would not work, the DNS server does the internal and external resolution for both domains, unless there is a way to have a table dependant of the origin of the call.
I’m trying to understand how the DMZ would help. If Orange zone has a different IP, how would the computer from the Green zone, trying to access the RED zone (because of the IP), would suddenly be redirected to the Orange zone?
Take a look at the IPFire hosts file you can edit this at the Web interface.
Entrys there will be deployed to the clients.
The DNS server is the Windows server, not IPFire, because it is a Microsoft Windows domain.
I have the same and I have services I can access from the internet with the internet IP address and from internal with internal IP address.
Two ways:
-
Configure a AD DNS Zone for the internet zone with the same DNS entrys like the internet DNS zone but for die internal service with internal IP addresses.
-
You can use IPFire as DNS forwarder for the AD DNS server and use the IPFire host entrys to get the internal IP address for special DNS entrys
1 Like