Hi all, Ok, so as per my previous post, I have now re-installed IPfire and have basic access, however, I am having one issue with a non-standard port. I have searched in the community for possible answrs, but none seem to work for me, so please bear with me.
I have an external mail server I connect to, Kerio Connect and the HTTPS port is non-standard, it is 8843 and for the life of me I simpley cannot get access to the webmail interface or via Outlook. My Firewall Rule setup is as follows:
Are you trying to access the external Kerio Server from a system on your green LAN or do you want the Kerio Server to be able to access a machine on your green LAN?
The firewall rule you have shown is for the second situation but your words suggest more the first situation.
If it is the first situation then do you have the web proxy enabled. If yes, then you need to add the 8843 port to the Destination Ports section in the box labelled Allowed SSL ports (one per line):
with something like 8843 # Kerio https
I believe that should then work unless I am wrong about the direction of trying to make the connection.
@bonnietwin Thank you, yes I am trying to access an external Kerio server from a PC on my green network.
I have addedd the port to the Web Proxy as suggested, however, it seems my rule is still incorrect as I still cannot access the server from my PC. I will investigate further.
Maybe try also adding the port to the Allowed standard ports (one per line):
I note that the 443 port is shown by default in both boxes.
After that I have run out of ideas.
EDIT:
The above wonât do anything further. I just noticed that in that left hand box there is a range of ports from 1025 to 65535 which should cover your 8843 port.
@bonnietwin Thank you, its fine, I have changed the forward rule in firewall options from blocked to allowed and all is working fine. I will have to try to understand what those two options actually do as they really confuse me and I was hoping they would assist to tighten the security on my network. More reading necessary, however I am really struggling with the wiki, but that is my inability to fully understand and comprehend, not anything wrong with the wiki.
@bbitsch I must apologise, I do not understand your post in the least. As I stated, evidently I still have a LOT to learn and comprehend about IPfire and firewalls in general, so forgive me if I am not understanding the point you are trying to make.
@jon Hi, yes, orginally the âFORWARDâ was set to âBLOCKEDâ and âOUTGOINGâ was set to âALLOWEDâ. However, as soon as I changed the âFORWARDâ to ALLOWED" everything started working as it shoyld. As I mentioned, I will need to do a LOT more research into IPFire, as I really would like to have my network locekd down as tight as possible.
@markadewet , I think @jon has explained my very short answer ( sorry ) more explicit.
To explain the two terms forward and outgoing:
outgoing traffic is initiated on the device itself; all packets generated in the IPFire system going to the WAN
forwarded traffic is initiated by devices in the local networks ( green, blue, orange ); coming in on the associated interface and directed to some address in the WAN
Both kinds of packets are sent on the red0 interface. It is a functionality of the routing part to handle the answers, sending them either to the internal process or through the associated interface to the right client.
An analogous process is the mail handling in an organisation.
Joe Doe sends a letter through the mail office. His sender address is
Orga name
c/o Joe Doe
. . .
Letters coming back are addressed to
Orga name
c/o Joe Doe
. . .
The mail office passes these on to Joe Doe internally.
To reduce paper waste all letters addressed to Orga name only are just transfered to the garbage bin.
If Joe Doe is not allowed to send mail outside the forward policy of the mail office is âblockedâ.
@bonnietwin Thank you, yes, I have read that blog and that is what is confusing the heck out of me. In there, Mr Muller says and I quote " To make things as secure as possible, however, it is necessary to drop any connection by default. In order to do so, change âforward firewallâ and âoutgoing firewallâ policies to âblockedâ on the firewall options CGI." Here exaclty is where I picked up my issue, as then I cannot access anything, which obviously is by design except then my firewall rules do not seem to work, which means I am setting them up incorrectly and here is where my inexperience and lack of knowledge comes into play. So for now, all is working as it should and I will slowly experiment with the various settings until I can achieve what that blog is trying to tell me.
This is ok. if you are hardening your installationâŚ
your problem lies in your firewall rule is bacward.
source is your internal ip device.
NAT
Destination Any or Red ( I would limit it to one country if you can)
@hvacguy Thank you, I will look into that, I see where I may have gone wrong.
One question though, I am unsure what you mean by âlimit it to one country if you canâ. Can you please explain what you mean by this? I know the external IP address of the Kerio server, I set it up, so would using its IP address not be better?
@bbitsch Again, I am not sure I understand your reply. I have stated repeatedly that I obviously lack sufficient knowledge and experience with IPFire, so that is something I will have to address.
As far as I am aware, my firewall is functioning, so not sure what that point is in reference to. your replies do seem very short and to the point, although what exactly the point is, escapes me every time.
