Port fwd not working

Security Firewall Rules
1

Dear all,

this is my first message, migrating to micro-pc + ipFire few days ago and coming from a (very good) netgear fw318g, retired after 7+ years protecting my LAN :smile:

Well, as common habit entering in a large community, a short presentation of myself.

Iā€™m from Italy, now retired as my netgear (LoL) after 38+ years spent in ICT, covering a lot of roles from old fashioned card punch hole (early '80 last century) to the new age of IoT. Nothing has changed in my honest opinion, considering we still have on the left a monitor, on the right a Server, in the middle a wire(less). Kitchen, gardening and photography are my hobbies, but ICT is and will remain in my heart, so here I am :slight_smile:

Wellā€¦ go back to the reason of my question:

The topology of my LAN is as this pic:

edit: removed as per Forum rules (only one pic is permitted to newby). Anyway it is the same as new one -see below- just changed the router (as well explained in the text).

Changing the old netgear, Iā€™ve bought a micro pc, installed debian10 + virtualbox + ipFire. Iā€™ve maintained IP, DHCP, server config etc of my previous LAN, only replaced the hardware and the firewall software.

So, in short, the new topology is as below:

new.net
new.net1058Ɨ595 103 KB

All clients, including the server, are able to go outside immediately after the installation without actions from myself. To permit to access the server from outside, Iā€™ve created a new rule (to be honest more than one, one by one tested) to permit, from internet to see the HTTPS Web server, including the very dangerous ANY:ANY (for few minutes) but none. From outside canā€™t arrive to my https server.

Where is the block? Whatā€™s wrong? Because nothing has changed in my old configuration, except the firewall, I guess the block is inside it. Well, but where?

Any ideas? Suggestions?

Thank you so much in advance for gentle replies, and ā€œCiaoā€ from Italy

Paolo

2

Good night and wellcome @ucciopa.

Habe you made one ā€œDMZ Hostā€ in your Router for all petitions from internet redirect to IPFireā€™s WAN Ip?.

Itā€™s an idea.

Regards.

3

Hi Roberto, thanks for reply.

Good point indeed and yes, sure. The address 192.168.2.101 (ipF wan-red) is assigned via Router DHCP and this IP is marked as dmz as shown in the pic (dmz)

Kind regards

4

According to https://wiki.ipfire.org/installation/step5, DMZ is unprotected in IPFire. The provision for DMZ in IPFire appears to be oriented to users having routers in bridging mode.

If your router has at least two LAN ports and supports DMZ, then you might do better to put your https server on one of those and use only GREEN & BLUE zones on IPFIre

5

Sounds like you have firewall rules in place to port forward to you server.
I canā€™t port forward 443 on my server do to Verizon g1100 router will not port that port
even in g1100 DMZ.
Default rules can be found here.https://wiki.ipfire.org/configuration/firewall/default-policy

6

Hi there,

thanks to all for replies. After a day or so to find out to solve the issue, reading all FAQs, KB, re-create the VM with only RED-GREEN connection and so onā€¦ according to the Murphyā€™s law I resolved the issue. Phisical cable connecting server to GREEN-LAN segment is interrupted in one or more of 8 wires (occurred to me very few times in many years). For immediate wasteā€¦ A friend of mine suggested me to check andā€¦ solved :grinning: :smiley: :grin:

Thanks to ipFire team to developed this outstanding firewall

Paolo