The Firewall configuration recommendations for IPFire users guide contains very helpful information to harden default IPFire firewall settings. I think it should be the main starting point for any new user willing to customize the IPFire firewall rules.
The guide reports 5 rules needed to allow essential connections for IPFire itself, however after configuring them the user ends up with a partly functional system, because the Squid proxy server is unable to connect to the Internet. IMHO a phrase should be added to explain that in order to use the Squid proxy server another rule is needed to allow all outbound HTTP/HTTPS traffic.
If you agree on this, I could edit the blog page myself, although I think there are much more expert people here that could make a better job than me.
If I’m not mistaken (but maybe I am…) those are the ports that the proxy uses, and if the firewall closes them it will not work.
I tried it again on my system: if I change the “outgoing firewall” policy to “blocked” following the Firewall configuration recommendations for IPFire users guide, then I need to add a firewall rule to allow HTTP/HTTPS traffic from firewall interface RED to zone RED, otherwise the proxy server will not be able to fetch website data.
Yes I confirm. I set up the proxy on IPFire, and my browser is configured to access the Internet through the proxy. I need to open HTTP/HTTPS traffic from the IPFire server to the Internet for the proxy to work. IMHO this should noted in the guide.
The default value for the “Forward Firewall” is “Allowed”. This means, in general, that any network packet is allowed to be forwarded to another network zone unless there is an existing rule preventing it. Such a rule can be added within basic zone policy or it can be customized to fit requirements for your various network zones.
When switching the “Forward Firewall” to “Blocked”, the traffic will no longer be transfered between the zones. Please note, the traffic from internal zones to your IPFire’s RED zone is also affected, but not the traffic of the IPFire system itself. You will then have to create firewall rules to re-allow desired packets between your internal network zones and the Internet.
Change this behavior is what I would consider an advanced step.
If you have reached this point in your firewall journey that is Awesome.
lots if users only block port 80,443
and redirect to proxy or WPAD.
Yes I fully implemented what suggested in the Firewall configuration recommendations for IPFire users guide, blocking all forward and outbound traffic by default, and adding specific firewall rules to allow outbound traffic from the IPFire server only for the strictly needed protocols and ports.
So, following what is written in the “Allow essential connections for IPFire itself” section, I allowed DoT traffic to the primary and secondary DNS servers, outbound NPT traffic, and IMCP type 8 traffic to the gateway so that IPFire can measure its latency.
All this is fine, but I think that the guide should also mention that if the Squid proxy is used, another firewall rule should be added to allow outbound HTTP and HTTPS traffic. I am suggesting this as an improvement of that guide, because the Squid proxy is certainly an essential component of IPFire, so IMHO it should be mentioned together with the other five points reported.
I agree, but this is instructed by the guide: “To make things as secure as possible, however, it is necessary to drop any connection by default. In order to do so, change “forward firewall” and “outgoing firewall” policies to “blocked” on the firewall options CGI”.
After you do that, you need to add rules to allow some traffic. A few points are mentioned in the guide (DNS, NTP, ICMP, etc), but it is not mentioned that opening outbound HTTP/HTTPS traffic is needed for the proxy to work.
@pmueller since you are the author of that guide, can I post the text here so that you can add it to the blog page? Or otherwise can you enable me to edit it? Thanks
You cant edit a blog post.
Quote from the blog post.
change “forward firewall” and “outgoing firewall” policies to “blocked” on "the firewall options CGI. Afterwards, a reboot is required to apply these settings.
After rebooting, nothing will work."
So the page about this setting is the best place to do this.
The Blog post is not a all encompassing manual.
It is a guide.
