Now I am also running Samba Cups and the NTP server on the FW, and all of it is accessible just like that.
Did I get this wrong?
Or is the FW misbehaving?
Hi, on green source and destination green, your network is blocked. To default all incoming connection are blocked. If you allow a network client to automatic DHCP, all client receive the DNS specify in DHCP configuration.
I have the same problem! I need to allow Incoming Firewall Access. Default policy is really set to blocked and I can’t find any settings in IPFire web interface to change it
You don’t want to change it on a global basis as that will allow any bad actor on the internet to tray an access every system on your internal network.
If you have a web server that you want to allow access for users on the internet then you need to write a Port Forward Firewall Rule that allows users using a specific protocol to get access to a specific machine on your internal network. https://www.ipfire.org/docs/configuration/firewall/rules/port-forwarding
If you are unfamiliar with firewalls and how to allow users to access things while protecting the things you don’t want to have accessed from the internet then I would suggest a read through the contents of this link. https://www.ipfire.org/docs/configuration/firewall
Start with the introduction that is linked on that page and then you can look through the various other items listed.
If you are trying to create a port forward rule to access a machine on the orange zone then you have placed it in the wrong place.
The port forward rule should be in the section titled Firewall Rules
The Incoming Firewall Access is for when you want to access services that are running on the IPFire firewall itself. Usually you won’t want that changed from the Blocked situation. An example for adding a rule here would be if you were running the apcupsd software on IPFire to control a UPS (Uninterruptible Power Supply) and you wanted to run a slave apcupsd process on orange then you would write a rule here to allow access from a specific machine in orange to the green nis server protocol on the firewall itself.
The Outgoing Firewall Access is for controlling the packets from the IPFire firewall itself to the internet or to any of the zones that you have set up.
The majority of firewall rules will need to be created in the Firewall Rules section and definitely if you want a user from the internet via any of your alias IP’s to access a server on the orange zone.
You should have a read through of the link on Port Forwarding that I provided earlier.
My problem has been solved, but please don’t delete my post.
The question about allowing incoming rules is not wrong tho. It’s up for discussion why it can’t be simply allowed from web interface.
However how i solved my own problem:
I was creating wrong Firewall rules.
This rule worked for me:
Source: Standard Networks: Any
Use Network Address Translation [NAT]: Destination NAT [Port Forwarding]
Firewall Interface: IP-1 [x.x.x.x] [which is my Alias IP address…
Destination: Destination Address [IP address or Network]: x.x.x.x [Which is IP address of my specific one client that is in the IPFire Orange [DMZ] zone.
Protocol: All
You can specify for example TCP and specific destination port. But in my case I want everything to be forwarded to my client as I have a another non IPfire Firewall before the client itself.
How this rule that solved my problem with Port Forwarding from RED Alias IP to my Orange Subnet [DMZ] client IP looks:
You can just write a firewall rule to do it if you really want. Here is one that allows every machine on your green lan network to access every protocol service on every are in the IPFIre firewall.
If you change the source from Green Network to Any Network then everyone on the internet will have full open access to your Firewall services. I would not want to open my firewall internal contents to all systems running on my Green network and definitely not to the Internet
That is why we don’t give the option to globally change the Incoming Firewall Access to Allowed.
With Policy Blocked you can still allow a machine on a network to access specified services running on the firewall itself. You can even create goups that cover several protocol ports - eg http & https - so you don’t need to write a firewall rule for both protocols.
An example is here where a specified client IP on the Green Network can be allowed to access an NFS server that has been set up on the firewall (nfs addon).
In a similar vein, I have an NTP server which is part of the public pool.
For hardware reasons, I want to move away from opnsense to IPfire but despite reading a huge number of posts etc, I cannot create a firewall rule that will allow UDP requests to port 123 of a server on the ORANGE network. Any help will be very much appreciated.
If this is showing then you have some rule changes that have not been applied yet.
You have your rule at number 7. Do any of your other rules 1 to 6 stop access to the Orange zone or match to the NTP port. The firewall rules are executed in order from 1 to the last entry that you have and if an earlier rule matches then you will never reach your firewall rule.
I would also turn on the logging on your rule so you can see what is happening with it when you try and access the ntp server.
Check the circled checkbox and then apply the change.
Then try and access the ntp server and look at the firewall rules log to see what messages there are related to ntp and IP 192.168.4.125
If the traffic is being properly port forwarded then you should see two entries per connection
Time Chain Iface Proto Source Destination Src Port Dst Port
00:18:25 DNAT red0 TCP 49.49.55.102 xxx.xxx.xxx.xxx 40943 80(HTTP)
00:18:25 FORWARDFW red0 TCP 49.49.55.102 192.168.26.30 40943 80(HTTP)
These ones are for an http connection for a letsencrypt access so your details will be different such as UDP instead of TCP, NTP instead of HTTP and the source and destination IP’s
The first rule does the DNAT and allows access from the Internet IP (Source) to your public IP on your red interface (Destination).
The second rule then forwards the traffic from the Internet IP (Source) to your internal IP address (Destination) in orange.
The firewall rule you showed in post 10 says that it is forwarding the traffic to 192.168.4.125 but in the logs you are showing the ntp traffic is being forwarded to 192.168.4.123
The logs suggest that there is another firewall rule port forwarding traffic to 192.168.4.123
Which IP is supposed to be getting the NTP traffic?