Is my configuration correct?

Hello,
I’m relatively new to networking in general but also to IPFire itself.
I’ve read a fair amount but still some things are unclear to me.

I’d appreciate if you could tell me if my configuration is correct and answer some of my questions.
Thank you in advance. <3 No advanced stuff but I want to have a secure basic configuration before I “play around” with other stuff.

FRITZ!Box —> IPFire
should I set the IPFire as an exposed host of the FRITZ!Box?
So I wouldn’t have 2x NAT, right?

I have configured some NTP servers in the FRITZBox, and set the IPFire’s NTP server to the FRITZ!Box IP-Adress. And in the DHCP settings I’ve set the IP of IPFire for NTP.
That means: NTP-Server --> FRITZ!Box --> IPFire --> Client
Does this make sense or should I exclude the FRITZ!Box in this chain?

In the firewall settings, should I enable or disable NTP for GREEN/ORANGE/BLUE?
Do I have to change this setting if I set the IPFire as exposed host, or not?

Somewhere I’ve read that I should NOT use “.local” as domain for the IPFire. Is that correct? Because that’s exactly what I did…

“Application-Layer-Gateways”
As far as I understand it opens needed ports temporary for a session?
But what I don’t understand is, what of these protocols do I need in day-to-day use?
The only one I know is FTP.

I guess these were all questions I have right now.
Hope you can make things a bit more clear for me.
Thank you!

That what you mean is putting the FritzBox into Bridged Mode so it works like any modem only. If you do so, that won’t be possible anymore:

except you exclude the FitzBox of this chain.

That means that all ports are opened for the device already.

It’s the same to me, but my firewall works fine with other domain controllers in the network so I don’t think it will cause any problems.

Hello,

If you don’t want to VPN to IPFire, it’s ok without exposed host. Even with 2 x NAT.

You can do so, but cascading requires all chain elements working. Why not make IPFire idependent from the Fritz!Box? NTP rule yes/no for green is also more subject of independence of the clients. Choose your time source careful. That is IMO more important.

… but works. Issue is with unbound and DNSSEC but there is an exception for .local in place.

Right but just FTP (passive / active) is a troublemaker due to dynamic port use. Try but I’d guess, it will not work.

Regards

P.S.:

Ahm, no, I don’t think that OP means that. Also not all FBs support bridge mode anymore so the only way out could be to use config with exposed host.

What? Did you want to say that in standard configuration all communication outbound is allowed? But OP did not say anything about his configuration reguarding this. Even in case he switched to outbound blocked as default, creating a rule for NTP outbound does not ‘mean that all ports are opened for the device already’.

In standard configuration of ipfire all traffic of all clients is allowed. Whenever you define any client as exposed host, there should be no ports blocked for that client (anymore).

Thanks for the quick reply.

Yes I definitely want to VPN to the IPFire.
So in this case with exposed host is better, right?
What about the NAT rules when I use exposed host? Should I change anything there? Currently NAT is on for all interfaces.

Okay then I will setup the NTP servers independently on the FRITZ!Box and IPFire instead of chaining.

@anon47238184 what you wrote about FTP and ALG I don’t understand. Currently I turned ALG off everywhere. Do you expect me to run into problems? If I turn it off for FTP, can’t I use FTP anymore? Don’t have a server right now to test it.

huh? default rules are here: https://wiki.ipfire.org/configuration/firewall/default-policy
But I don’t get what this has to do with setting the IPFire as a exposed host of the FRITZ!Box.
If I do so, IPFire should block all incoming connections by default.

Hello Kamill NoName,

you are right and I think @xperimental is mixing something with roles an directions. Don’t worry setting IPFire as exposed host in the Fritz!Box. All inbound traffic stops at the RED interface of IPFire except you start portforwarding to GREEN on IPFire itself.

I’d let NAT on. This will render the IP adresses behind IPFire (aka all in GREEN) anonymous.

ALG: to my experience there is no positive effect for FTP. Doesn’t matter if ALG for FTP is on or off. It should work with ‘on’ als helper for classic FTP, but at least I couldn’t get it to work in any way with IPFire. So meanwhile I’m using FTPS or SFTP depending on the service I want to reach. Better anyway because it is encrypted while FTP is not.

Regards