I’m just starting and I don’t come with any expectations of ipfire, but it has a web interface and it appears to make everything quite simple and usable for me, yet this most basic setting that I am used to looking for in a firewall is missing.
Is the normal course of action really to re-enter the setup process? Or advanced users would edit a config file directly and the setup process is the hand held version provided for beginner users?
To assign a new IP to an interface the nic must disable it and if you disable it the webserver is not working anymore and the browser lose the connection.
There are possible ways to work around this but this is complicated and it is easy to lockout from config at all.
All modifications which can influence the network connection to IPFire should be done from console!
There may be ways to work around, but because these depend on both sides of the connection there is no easy implementation.
This ‘roaming’ doesn’t occur permanently. So the development (and testing!) effort is to high.
Just my opinion.
It’s just a very regular feature in most other firewalls, you change the IP the port goes down and comes back up and obviously you lose your connection and must go find it again on it’s new IP.
If there are technical reasons why this is a pain to implement in ipfire I understand it. But you all must be aware how quirky this is for newcomers.
If you have setup IPFire on a hardware that allows for “console” connection like ILO or IPMI then that is no longer an issue since you can always access the computer via that interface
Out of band management
If you have a computer that lacks that feature, you will have to access it physically for some changes.
having a remote, out of band access to my firewall would terrify me. I would never, ever, under eany circumstances have my firewall reachable in such a way from the wan side. However, I understand that as an hobbyist, my needs are very different from professional settings. Still, I think it is a bad idea (for a firewall).
EDIT: if I could not afford to have the firewall down when I am not physically capable of accessing the machine, I would rather use a solution like keepalived.
Well, you would only allow access to layer2 devices, as in devices on your own lan.
Any other access should of course be hardened by means of VPN and or MAC filtering via Radius and similar measures. I am not saying you should just leave it open.
Even on your local lan you can, depending of version of the targeted out of band device, set several limitations.
We are not talking about the SSH console, but the main console of the IPFire system. This is a serial port with ‘embedded systems’ ( PC Engines APU boards or the Mini Appliance ) or the standard KVM interface of PCs.
No, please re-read the subject again. The OP clearly asked for changing, or better assigning, IP addresses in the web interface and someone explained, if this would be possible, this would result in loosing the connection to IPFire.
Followed by a possible restart of the internal web server.
I just added, that when using a SSH terminal and running IPfire’s setup to change some interface’s IP address, this would result in an interrupted connection, too.
The reasons for a lack of setting IP addresses ( configuration of networking ) in the WUI are true for SSH also.
Therefore it was evident ( for me ) that we talk about access to configuration on the network or the system console.
IMHO, someone who can manage a problem in cutting the access, is able to access the system console and do the config there. In general, the system console approach is less error-prone ( Cut not the bough that you are standing upon ).