»Incoming Firewall Access« blocked or open?

Hello IPFire community,

I have a problem understanding the Incoming Firewall Access.
I wanted a setup as described in this article »Force clients to use IPFire’s DNS proxy«.

This has led me to the understanding that actually any traffic targeted into IPfire FW directly is blocked by default unless explicitly allowed.

Now I am also running Samba Cups and the NTP server on the FW, and all of it is accessible just like that.
Did I get this wrong?
Or is the FW misbehaving?

Thanks a lot,
regards

Matthias


My IPFire

Hi, on green source and destination green, your network is blocked. To default all incoming connection are blocked. If you allow a network client to automatic DHCP, all client receive the DNS specify in DHCP configuration.

Hi Walter,

thanks a lot for you response :slight_smile:

To default all incoming connection are blocked.

That would mean it’s an error :thinking:

If you allow a network client to automatic DHCP, all client receive the DNS specify in DHCP configuration.

That should not work than as well…
and the Webserver on it too :thinking:

That cannot be, because I don’t see a possibility to un/block incoming, only Forward and Outgoing:

Any other hint?
Or an explanatory wiki article?

Regards
Matthias

1 Like

I have the same problem! I need to allow Incoming Firewall Access. Default policy is really set to blocked and I can’t find any settings in IPFire web interface to change it :frowning:

You don’t want to change it on a global basis as that will allow any bad actor on the internet to tray an access every system on your internal network.

If you have a web server that you want to allow access for users on the internet then you need to write a Port Forward Firewall Rule that allows users using a specific protocol to get access to a specific machine on your internal network.
https://www.ipfire.org/docs/configuration/firewall/rules/port-forwarding

If you are unfamiliar with firewalls and how to allow users to access things while protecting the things you don’t want to have accessed from the internet then I would suggest a read through the contents of this link.
https://www.ipfire.org/docs/configuration/firewall
Start with the introduction that is linked on that page and then you can look through the various other items listed.

1 Like

Thank you for reply.

I have successfully configured a client on Orange to access internet.

via the Alias IP. which i call IP-1.

But nothing from internet can connect to my client on Orange via the Alias IP [IP-1]

If you are trying to create a port forward rule to access a machine on the orange zone then you have placed it in the wrong place.

The port forward rule should be in the section titled Firewall Rules

The Incoming Firewall Access is for when you want to access services that are running on the IPFire firewall itself. Usually you won’t want that changed from the Blocked situation. An example for adding a rule here would be if you were running the apcupsd software on IPFire to control a UPS (Uninterruptible Power Supply) and you wanted to run a slave apcupsd process on orange then you would write a rule here to allow access from a specific machine in orange to the green nis server protocol on the firewall itself.

The Outgoing Firewall Access is for controlling the packets from the IPFire firewall itself to the internet or to any of the zones that you have set up.

The majority of firewall rules will need to be created in the Firewall Rules section and definitely if you want a user from the internet via any of your alias IP’s to access a server on the orange zone.
You should have a read through of the link on Port Forwarding that I provided earlier.

I would also suggest reading the section about the difference between Source and Destination of a packet.
https://www.ipfire.org/docs/configuration/firewall/rules

1 Like

Thank you very much for answer!

My problem has been solved, but please don’t delete my post.

The question about allowing incoming rules is not wrong tho. It’s up for discussion why it can’t be simply allowed from web interface.

However how i solved my own problem:

I was creating wrong Firewall rules.

This rule worked for me:

Source: Standard Networks: Any

Use Network Address Translation [NAT]: Destination NAT [Port Forwarding]
Firewall Interface: IP-1 [x.x.x.x] [which is my Alias IP address…

Destination: Destination Address [IP address or Network]: x.x.x.x [Which is IP address of my specific one client that is in the IPFire Orange [DMZ] zone.

Protocol: All

You can specify for example TCP and specific destination port. But in my case I want everything to be forwarded to my client as I have a another non IPfire Firewall before the client itself.

How this rule that solved my problem with Port Forwarding from RED Alias IP to my Orange Subnet [DMZ] client IP looks:

You can just write a firewall rule to do it if you really want. Here is one that allows every machine on your green lan network to access every protocol service on every are in the IPFIre firewall.


If you change the source from Green Network to Any Network then everyone on the internet will have full open access to your Firewall services. I would not want to open my firewall internal contents to all systems running on my Green network and definitely not to the Internet
That is why we don’t give the option to globally change the Incoming Firewall Access to Allowed.

With Policy Blocked you can still allow a machine on a network to access specified services running on the firewall itself. You can even create goups that cover several protocol ports - eg http & https - so you don’t need to write a firewall rule for both protocols.

An example is here where a specified client IP on the Green Network can be allowed to access an NFS server that has been set up on the firewall (nfs addon).

1 Like

In a similar vein, I have an NTP server which is part of the public pool.
For hardware reasons, I want to move away from opnsense to IPfire but despite reading a huge number of posts etc, I cannot create a firewall rule that will allow UDP requests to port 123 of a server on the ORANGE network. Any help will be very much appreciated.
image

That rule should do what you are looking for.

Simple checks first.

After creating the rule did you press the green Apply Changes button at the top of the firewall page.


If this is showing then you have some rule changes that have not been applied yet.

You have your rule at number 7. Do any of your other rules 1 to 6 stop access to the Orange zone or match to the NTP port. The firewall rules are executed in order from 1 to the last entry that you have and if an earlier rule matches then you will never reach your firewall rule.

I would also turn on the logging on your rule so you can see what is happening with it when you try and access the ntp server.
Check the circled checkbox and then apply the change.
Screenshot_2025-01-22_10-01-51

Then try and access the ntp server and look at the firewall rules log to see what messages there are related to ntp and IP 192.168.4.125

If the traffic is being properly port forwarded then you should see two entries per connection

Time 		Chain 		Iface 	Proto 	Source 			Destination 		Src Port	Dst Port
00:18:25 	DNAT 		red0 	TCP 	49.49.55.102 	xxx.xxx.xxx.xxx 	40943 		80(HTTP)
00:18:25 	FORWARDFW 	red0 	TCP 	49.49.55.102 	192.168.26.30 		40943 		80(HTTP)

These ones are for an http connection for a letsencrypt access so your details will be different such as UDP instead of TCP, NTP instead of HTTP and the source and destination IP’s

The first rule does the DNAT and allows access from the Internet IP (Source) to your public IP on your red interface (Destination).
The second rule then forwards the traffic from the Internet IP (Source) to your internal IP address (Destination) in orange.

2 Likes

Thanks, Adolf.
Output below -

The firewall rule you showed in post 10 says that it is forwarding the traffic to 192.168.4.125 but in the logs you are showing the ntp traffic is being forwarded to 192.168.4.123

The logs suggest that there is another firewall rule port forwarding traffic to 192.168.4.123

Which IP is supposed to be getting the NTP traffic?

  • 192.168.24.123
    or
  • 192.168.24.125