Any suggestions on how IPfire can be used to limit outbound traffic to port 443 from only specific source apps? I know how to do it in Windows firewall. Just wondering if there is a way to do it in IPfire.
That is not really possible as ipfire can‘t see the app the traffic originates - just the ip (different layer). While the ips might be able to decode the traffic and apply rules accordingly that approach has a few obstacles - it would need to make a man-in-the-middle attack to break the encryption for instance. And that is a no go at least for me. Long story short - don‘t even try that. And as you already know how to do it in windows that is the right place to block/allow application level traffic. A dedicated network firewall is not a replacement for an application level firewall.
Thanks for your reply.
Yes, I get it that a network firewall is not a replacement for an client level firewall.
Just thought it was worth asking because it would be handy if it could be done centrally rather than on all the clients in the sub-net.
I‘m sorry if my reply came across a bit rude. That wasn‘t my intention!
No worries. All good.
albeit being a bit late on this, welcome to the IPFire community.
As @dal8moc already mentioned, IPFire does not know which application on a certain client caused network traffic, so there is no direct application level firewalling possible.
As a workaround, I use IPFire’s web proxy with user authentication in some environments. There, the operating system gets different proxy credentials configured than the user browsers, so the proxy can differ between network traffic generated by the OS and actual user traffic.
By using the URL filter ACLs, one can then restrict the OS to certain destinations, such as its update servers only, while the users are permitted to access more or even arbitrary destinations on the internet via the proxy.
Depending on your use-case and whether your environment is able to handle HTTP(S) proxies, this might be helpful. If so, it is important to have a firewall ruleset configured that prevents the clients from establishing connections to the internet directly, bypassing the proxy. More information on this topic can be found here.
Thanks, and best regards,
Thanks for the welcome and the suggestion. I’ll investigate and see how it goes.
BTW I installed IPFire on a mini box about 5 years ago. I didn’t do much with it other than apply a few rules. I didn’t commission it and its been sitting on the bench since then. Just getting around to looking at it more seriously now! I had a few minor issues doing an upgrade from such an old version so I did a clean install of the latest version. Its looking pretty good. The forum has come a long way since then too. Well done to the team!