I didn’t know about this feature until I saw a thread asking a question related to it. Even I do not know how to allow connections if I set the firewall’s default policy to blocked.
all right, so for the reference, the firewall default policy documentation is located here. If you set it to “DROP”, you will have to create firewall rules according to the reference documentation allowing desired traffic.
For your IPFire machine itself, this is:
- NTP traffic (destination port 123/UDP) for time synchronisation
- DNS traffic (destination ports and IP addresses depend on your configuration)
- Whois traffic if you take advantage of
ipinfo.cgi (destination port 43/TCP, AFAIK it only uses the ARIN servers at the moment)
- HTTPS traffic for checking for and downloading updates to the IPFire mirror servers
- ICMP traffic of type 8 (echo-request, i. e.
ping) to your gateway
No offense, but I doubt firewall newbies would be happy with configuring them before getting anything behind their IPFire machines to work. We cannot introduce default rules either, as they depend on your network environment.
If that is my opinion, I’m also free to ask for improvement in software and documentation. I’m aware that firewalls cannot detect malware going in and out of the network. I at least can block suspicious connections with firewall. Firewalls should be built around the objective of making it easy for users to find and block suspicious connections. This is not how it is in any of the firewall distros. What exactly prevents IPFire from providing an option to allow or block or create a rule at the connections view?
If you are able to identify “suspicious connection” based on their layer 3/4 source and destination, why don’t you create a matching firewall rule in the first place, so you do not need to keep watching the connection table?
Technically, there are number of ways to make existing connections terminate, one uglier than the other, and none of them would be RFC compliant to my knowledge. Except for some cases, IP is about end-to-end communication, not end-to-firewall-to-end one. We should not tamper with that.
If your adversaries are somewhat advanced, they will try to look their C&C connections innocent, such as talking TLS to port 443/TCP to an IP address in a well-known data center. It is not easy to find those connections, and one definition of “suspicious” never fits all users. Again, we cannot release users from the burden of thinking and knowing their networks.
You recently wrote a blog on your website about security, in which you said, users shouldn’t even trust the software vendors. If we accept this as a reasonable suspicion, the malware could already be inside, inbuilt in the OS and has free access to any website with the default firewall policy. By the time, I look at the connections view, the malware could have already connected and sent and received data and it is difficult to find which connection it is.
First, it was not my website, but that of the IPFire project instead. Second, it is reasonable to assume things are compromised already. Since they might be able to open up connections before you notice them looking at the connection tracking CGI, this is exactly the reason why we do not even think about implementing on-the-fly connection termination. Please think about what connections are normal and desired, define firewall rules allowing those, and drop the rest.
You say my post indicates lack of understanding regarding most basic network security techniques. What would you suggest I read to improve it?
Perhaps a book on TCP/IP networks and network security (in that order)?
And don’t you agree that with default firewall policy anything on the LAN side can access the Internet and anything on that connection will be allowed. If there is a malware on the LAN which entered through undisclosed means, it will have a free access. Doesn’t this pose a security risk?
It does. Because of the thoughts expressed above and in previous posts, I unfortunately do not see a reasonable alternative to that default policy. Besides, if a user is introducing an IPFire machine to his/her/its network, it’s default behaviour matches that of ordinary end-user ISP routers available - looking at outgoing connections, they will or will not keep working as they did before.
Doesn’t allowing firewall’s admin panel to be accessed by a device connected to the firewall’s interface defeat the purpose of network security?
This is why we require the admin to authenticate, and introduced the Guardian add-on to detect brute-force attempts and drop all traffic from the offending IPs. Make sure you monitor that list, as it might indicate internal clients being compromised.
As I wrote at blog.ipfire.org the other day, we expect our users (in spe) to read the documentation and come with basic network knowledge. You do not have to be an expert to run IPFire, which is a good thing, but will have to gain additional knowledge if you lacked it before. This thread so far illustrates that very clearly.
Thanks, and best regards,