Hi all.
I am migrating from IPCop, and I have three questions:
Thank you for your help.
If Q2 refers to shutting down the compter that is running IPFire daily, then that is probably not a good idea.
Certainly not if running from SD card, on a single board computer, because it would wear out the SD card much sooner. It could also lead to earlier failure of other components of the computer.
Computers are available that consume only a few watts when operating.
Thank you Rodney,
question 2 is really to shut down the pc during the night. I don’t use an SD card but a normal hard disk, and to shut down a “normal” pc it seems to me perfectly all right.
The hardware I want to use is rather old (ad I said I migrate from IPCop) but still operating, not the best in order to energy saving, I am aware of it, but I don’t want to spend more money on it.
Thank you anyway for your suggestions.
Thank you radiocarbon,
short but useful answer! 
I am in the same position – just installed IPFire after many years using the now-deprecated IPCop – (thanks, IPFire team, very nice, big improvement) – and have a variation of question #2, above.
I don’t want to shut down the IPFire hardware, but would like to completely disable and later re-enable the RED zone. (I’m running a very simple RED+GREEN, cable modem/router setup.) IPCop’s main page had “Connect” and “Disconnect” buttons to do this. Is there anything similar in IPFire?
I’ve always used this feature, turning on RED for several hours while using the internet and then turning it off again. Maybe I was fooling myself into thinking that this gave added security, and maybe IPFire is so hardened that it doesn’t need it, but it strikes me that while RED is set to reject everything that’s as secure as possible.
Thanks for any feedback, and again for making IPFire available.
IVMHO… that behaviour do not add any security, except for… self ideas.
Ok, maybe disconnecting the RED can reduce data leak or footprint for attack but most of the mess was already done with the data leak, and the case of reduced footprint can happen only if RED has a public IP address, but if it’s natted… well, the upfront device should be compromised for exposing the installation.
Anyway…
IPCop and IPFire were designed for keep the gates 24/7, so unless bugs, vulnerabilities of the underlying software or some of cryptography apocalypse about the algorithm you’re using, only bad settings can turn a firewall to be useless for grant security. Security that can be achieved only becoming conscious and knowing what the device is going to do.
IPCop did not received any updates since 2015, so it were dead and worth substitution (IMVHO) in 2017. I had a similar experience with Endian Firewal, which lacked of any update or patch for about 18 months, and i were considering to change the distro of few installations. Project started to release something new a couple of months later; now project releases 4 to 6 time a year some update packages…
Thanks for your response, Pike, and for your thoughts on the subject.
Yes, if a leak has occurred (while connected), the damage has already been done. I’m very uneducated on this topic – I don’t know if my setup is “natted”, only that the RED IPFire interface is on the same subnet as the cable modem, and GREEN is a different subnet.
I still think that a firewall set to ignore any and all packets coming in on its RED interface instead of examining them for possible forwarding to GREEN could be possibly “safer”, if only by a small amount. (Of course there could always be a bug in the “total rejection” code, etc.) Out of curiosity, do you think if I go to “Network -> Zone Configuration” and change RED’s interface card (MAC address) NIC Assignment from “Native” to “-None-” this would do what I want? (And that I could change it back to “Native” to re-enable it?)
Totally agree with you about IPCop having lived long past when development halted – and that I was stupid for using it for even longer than that. 
Maybe all my data has already been stolen. I do find it strange that all the current websites I found reviewing open-source firewalls still list IPCop, with no mention of the fact that even its Sourceforge download page says not to use it.
Maybe send them an email…
On the topic: I do not think that you would gain any advantage of disconnecting RED. The attacker will just come back when you are connected.
The scenario I’m imagining is an attacker probing random (or an ISP’s range of) IP addresses. If they’re doing so in bursts, and I’m only connected 6 hours a day, I’ve reduced my chances of being compromised by 75%.
The review websites I saw are big, commercial businesses. They can afford to do their own research. 
That assumes that the attacker is scanning the whole internet once a day. For a single one that might be the case, but there are many many more out there, so you will be found very quickly.
You are reducing your chance, but not significantly, if at all.
BTW:
Risk is defined as product of probability and cost. R=p*C
If you minimize the cost/danger you also minimize the risk. And IPFire’s aim is just to minimize the damage.
You guys know far more than I do, and I understand your points. For the conceivable future I’ll use IPFire as intended and not worry about it. Maybe if I have the time someday I’ll dive into the source code and see if I can hack something in (I’m thinking it would be to temporarily install a “reject everything” firewall rule and later restore the previous settings). I could submit it for consideration (likely to be rejected) and then decide if it was worthwhile to apply my patches and rebuild after every update.
One more scenario I thought of: If an attacker got in and turned my machine into a zombie for massive denial-of-service attacks, being offline most of the time would limit his ability to do so. Again a minimal benefit (one less out of thousands of infected hosts).
If your machine is turned into a zombie, you have made a mistake somewhere in your local network. This cannot be protected by a firewall appliance.
I would suggest the opposite: (re-)using an old computer is very energy efficient. You could run an old computer for many years on the amount of electricity needed to make a new one.
Happy New Year, one and all, and especially the devs and admins. 
David
This is very difficult to quantify and compare. It depends very much on the type of computer being analysed.
A somewhat dated study from 2012 is:
It shows that the environmenatal cost of a desktop computer is 60 % in usage and 40 % in manufacturing, distribution & disposal. That was an era when desktops had spinning 3.5" HDD plus DVD-RW and it could well now be skewed more towards usage.
Those starting with IPFire are likely to use a discarded desktop computer as a trial-horse and that is fine, provided they are aware of the running costs.
My discarded PC is a core 2 duo 3.1 GHz mid-tower. It draws 90 W when idle, compared with 3 W for a BananaPi working with IPFire. Indeed, the former’s powered down, standby power consumption, that mailmasterc should note, is 20 W.
That’s a difference of about 760 KWh per year in running costs. I’ll use my electricity price per KWh and convert to USD, for comparison with the above study. The extra cost comes to 115 USD per year.
It would be interesting to convert the user’s electricity costs to the GHG cost, that is used in the above study, however that would be highly dependent on the percentage of electricity from renewables in a locality. Additionally, the study does not quote the basis for pricing tonnes of CO2.
@ Cippa Lippa: I use my IPFire the same way. I shut down while I am sleeping. It is an old desk top PC. IPFire will shut itself down. The PC has an auto start in the morning before I get up. It works and like you I do not wish to buy the newest latest whiz bang PC.
