Once more. IPFire is distribution well designed and maintained regarding security and stability.
This includes the main configuration process:
usually configuration is done using the WUI
this framework generates the ‘real’ config (files) for the various modules
some parts allow additional configuration with .local files
An update presumes this proceeding. So all standard configuration files are subject for a modification to reflect a new software version. .local configs are untouched.
Additionally it is much easier to help with problems, if this structure is adhered.
I thank you for the valuable suggestions. In fact, I fully agree. I specify to users who see my example, that I did it on a forklift server installed in a VmWare. So, there I can do as many experiments as I want, which I need to understand. Should my images tempt people to do “dangerous” tests on good servers, I also invite them to remove them .
I’ve always thought about it. I could use it very much. Also because I’m having tremendous difficulty solving the “IP range” entry problem by doing a safe and simple thing .
IPv6 integration would also not be bad.
However, I don’t feel like doing that. I do not know English, I am not a developer, and these are operations that I have never done. It is better for someone with considerable experience in these areas to do it.
Looking through those results you will find some that give details of how to use firewall.local in a specific use case which you can then use that as general guidance for how to create your own input for your needs.
Again, thank you very much. While I was waiting for a response, I did some research. I can also do some testing on my IPFire forklift. However, I am still left with the question whether it is fatal to edit this file incorrectly.
Editing firewall.local is as fatal as editing any configuration file.
You must be sure about what you do. Else you can run into a ‘desaster’.
This is also true for publishing unreflected ‘tips’ here in the community.
Thank you very much. I was sure of that. So any method seems complex and dangerous. I return to the idea of implementing a GUI function for IP range entry .
I also return to the subject of my images.
I think I’m dealing with experienced people, so I didn’t bother to avoid posting “dangerous tutorials” to explain my evidence. If you think that something I have posted, may create problems for novice people, please remove it without hesitation. Possibly, future times, I will write privately to one of you in such cases.
Alternatively, I tried experimenting with the firewall.local file.
It seems easy to modify it. I didn’t realize that in the end you just have to write the same thing in it as in my example in the picture.
The difficulty is using the “iptables” command, but for terminal experts I think that is not the problem.
Here is how I configured firewall.local with a trivial example.
Would that work?
#!/bin/sh
# Used for private firewall rules
# See how we were called.
case "$1" in
start)
## add your 'start' rules here
iptables -C INPUT -p tcp --destination-port 444 -m iprange --src-range 10.168.0.1-10.168.255.254 -j ACCEPT
if [ $? -eq 1 ]
then
iptables -I INPUT -p tcp --destination-port 444 -m iprange --src-range 10.168.0.1-10.168.255.254 -j ACCEPT
fi
iptables -C INPUT -p tcp --destination-port 22 -m iprange --src-range 10.168.0.1-10.168.255.254 -j ACCEPT
if [ $? -eq 1 ]
then
iptables -I INPUT -p tcp --destination-port 22 -m iprange --src-range 10.168.0.1-10.168.255.254 -j ACCEPT
fi
;;
stop)
## add your 'stop' rules here
iptables -D INPUT -p tcp --destination-port 444 -m iprange --src-range 10.168.0.1-10.168.255.254 -j ACCEPT
iptables -D INPUT -p tcp --destination-port 22 -m iprange --src-range 10.168.0.1-10.168.255.254 -j ACCEPT
;;
reload)
$0 stop
$0 start
## add your 'reload' rules here
;;
*)
echo "Usage: $0 {start|stop|reload}"
;;
esac