Initial setup configuratione firewall rules

Security Firewall Rules
1

Hello everyone,
I am new to the community and to IPFIRE.
I have installed on a server the version “IPFire 2.29 (x86_64) - Core-Update 189”

the green card has ip 172.17.78.81 with submask 255.255.255.0

Now I have a network 172.17.70.0/24 that must access the IPFIRE GUI but I encounter problems

In the firewall section I created a group built like this:

gruppo_172.17.70.0
gruppo_172.17.70.0842×635 39.2 KB

In the Firewall rules section I created this

Rule1
Rule1849×1015 53.3 KB

where all traffic coming from the network 172.17.70.0/24 is diverted to the network 172.17.78.81.

But this does not happen.

By running the command netstat -tulnp | grep 444 getting tcp6 0 0 :::444 :::* LISTEN 2775/httpd

it looks like only IPV6 is listening and not IPV4.

is this the right direction?

Can you tell me how to proceed?

Grazie a tutti

Michele

2

Not sure of you topography.
But have you tried with NAT.

3

Where is 172.17.70.0/24? If it is on the Red side, to access the GUI you want a destination of Red and not Green. You then access the gui using the Red IP. You may want to also limit the protocol/port to tcp:444.

I terms of where httpd is listening, if it is listening on IPv6, it is also listening on IPv4 but netstat does not show it.

1 Like
4

Thanks for the quick reply.

the network 172.17.70.0/24 is a control network that must be in the part of the green network card 172.17.78.81 and is not an external network.

Below is a small diagram of how it should work where the 172.17.70.0/24 network needs to be able to access the IPFIRE GUI.

rete_test
rete_test594×683 29.7 KB

I am not familiar with firewalls and I can’t figure out how to make it work and if it can work.

thanks again for the support

Michele

5

This has nothing to do with the firewall it is basic IP networking.

172.17.70.x is not part of the green network 172.17.78.0/24 so the packets not reach the the firewall at all. This is the reason why firewall rules cannot work.

First you have to manually add a second IP of the network to the green nic add firewall rules to accept this and allow it in the webserver config.

6

If the green NIC of IPFire is 172.17.78.81 and should handle traffic from network 172.17.70.24/24 ( this is either 172.17.70.0/24 or the client 172.17.70.24/32 ) it must be part of a common network 172.17.64.0/20.
The network 10.0.0.0/8 is not part/subnet of this.

7

Not if the netmask is 255.255.255.0 or /24

8

Have corrected my post. It was incomplete. :wink:

9

So what you’re telling me is that to access the green card 172.17.78.81 you need to be part of its subnetmask example 172.17.78.81 with subnetmask 172.16.0.0/12? if so if I had to have a network like in the example 10.0.0.0/8 what should I do to get a new network card?

sorry for my questions but I want to understand how it works

thanks again

Michele

10

If I wanted to put the three private networks in the green area what should I do?
By private networks I mean 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16

Thanks Michele

11

I think your problem isn’t in firewalling but in networking and routing.
IPFire is basically a router, which routes the networks attached to red NIC and green NIC. The firewall intercepts this traffic with rules.

The network definition for red is usually given by DHCP or statically by the ISP.
The network definition for green must be configured in IPFire, at installation or with setup from a CLI shell.
Without a router in the green network all clients must be part of the network definition.
See also www.ipfire.org - Step 5: Network Setup

1 Like
12

If you have three different, separate networks you have to join them by a router between network10, network172, network192 and networkIPFire.
BTW: 172.17.78.81 is a member of 17.16.0.0/12.

1 Like
13

Edit /etc/sysconfig/firewall.local like this:

image
image1018×714 54.2 KB

172.17.70.2 is a free example ip in this network and 172.17.70.1 the gateway/router. In the router of 172.17.70.1 you must add a route for your green network 172.17.78.0/24 to 172.17.70.2

14

This are no firewall rules!
Therefore they should be put in another file.

15

In which file do you think it should be saved? I have been using this option for years and so far it has worked well. But I’m always open to a better solution.

16

rc.local is normally intended for non firewall related items. Maybe give that a try.

https://www.ipfire.org/docs/pkgs/rc-local

2 Likes
17

Doesn’t rc-local only run on boot? Don’t you want something to hook onto network starting and changes?

1 Like
18

Yes, you are right.

19

Hi,
is the script to insert on rc.local correct to end with “esac” or should it end with “;;” of the echo “usage…” command?

Thanks again

Michele