New feature request: Create a new color network

Right now we have four colors / categories of interfaces:
Red - public internet facing, orange - dmz, blue - wifi, green - internal LAN

I propose we create another color category: purple - offline production.

This category would use it’s own isolated environment with a separate DHCP scope, different IP scheme, gateway, proxy, firewall rules, etc. This would be for servers that hold private company data that you need to communicate with all hosts on the green network, but don’t ever have access to the internet inbound or outbound, it only communicates with green, and optionally blue, never blue or red, then we can add additional network cards to an IPFire machine, to segment off this part of the network. Can we add this feature to a future build, or if this is already possible can someone point me in the right direction on how to set this up. The name and color can be whatever, I just picked purple and offline production as an example.

Thanks for all you do.

1 Like

While we wait for 3.0, you can do what you want quite effectively today if you add another router in front of your green network. Its green/blue/orange become your new green/purple/chartreuse or whatever you need. Its rule structure would be quite simple with NATting and pinholes unlikely to be needed, the edge firewall doing most of the work.

I know of a person who does this simply to restrict their photo-heavy NAS which backs up their green devices, without exposing the NAS to anything on orange. He classes it as “a 3rd party computing device with independent internet access” and thus deserving of restriction. I have some sympathy for the view.

1 Like

AFAIK, Red, Orange, Blue and Green zones are concepts widely available on the firewall market; adding containerization, there’s also the “Aqua zone” concept.

Do you know any other firewall product/distro which have this kind of zone?

Consider that with proper configuration the same result can be achieved without too much hassle (needs only enough… interfaces)

1 Like

Is this person using an IPFire inside an IPFire router, or is it another consumer linksys/cisco/dlink etc? How does he define the class?

I don’t specifically know of one, no. This is just an idea that I have. Does IPFire 3.0 have this kind of feature? Is there a place that describes what 3.0’s features will be?

You could restrict access to the internet based on the mac address of each device to accomplish the same thing I suppose, but I was thinking that if you had another isolated part of the network for everything flowing off of that port, then it would be less rules to set up to accomplish the same thing. The part that I’m not sure about is would you have to create another VLAN with a different IP Scheme and routing table to segment it out or would keeping it in the same class and IP Scheme as green be sufficient with the firewall rules. Thoughts?

IPFire-3.x will have the possibility to have as many zones and interfaces as you want to have.

No, as it is a work in progress, but the aim for the network structure was discussed in the dev team meetup a couple of months ago.

I believe the network structure is the next thing to be worked on now that the IPFire-3.x pakfire system is in a mostly running condition, a few bugs still need ironing out but package updates can be provided into the git repository now.

You can see the commits being done on the IPFire-3.x git repo.
https://git.ipfire.org/?p=ipfire-3.x.git;a=shortlog;h=refs/heads/master

4 Likes

@cwensik
Chris, they use IPfire as the edge router and quite a good Draytek (picked up on Gumtree) distributing new IP ranges to personal devices and the NAS, so a simple setup really, despite the seeming complication of two firewalls. This also satisfies the traditional 2-firewall design where Green has a firewall facing IPfire’s distribution to Orange in case of penetration of the latter opening internal attack on or through the edge router, fwiw.