RED to Green - none of the Web Pages, SSH, or SFTP seem to work

I am struggling a bit with this line. The forum software removes things like multiple commas in sequence, even in the Blockquote section. So from your entry I can not determine in which entry of the firewall list you are placing that. Can you count the number of comma separated items up to that url, including sequential commas with no spaces. From that I can then determine which part of the hash key that entry is being put in and compare it to what is expected by the firewall code.
Either that or take a screen shot of the line in question in the file or preferably show the Firewall Rules WUI page for that entry.

EDIT:
I have figured out from your post a couple earlier that the url is just your remark.

However you also have an entry with “maidocs web” with a space in it. Which entry is this for. If this is supposed to be a hostname then it will fail for the validhostname check but that must have been happening since CU154.

I think I have figured out that you have a host entry under the Firewall Groups menu item which is calledd maidocs web with a space. I have tested that on my system and I end up with that in the file on IPFire. As that “name” for the host is converted to an IP that should work with the firewall rule with no problem. You are also saying that the rule is the same as the one that worked for CU169 so it should work with CU171 as the firewall rules page has not been modified. There must be some other issue occurring which results in a rule not executing fully or correctly.

Looking back on this thread you just say that the rules do not seem to work.

Can you provide a bit more detail on that such as what error message you get when you try and do the access and what messages you get in the logs at the time that you do that.

You can set up messages to do a tail and see what comes up when you do the access.

10(1),ACCEPT(1),FORWARDFW(1),ON(1),std_net_src(1),ALL(1),tgt_addr(1),172.16.168.253/32(5),ON(3),cust_srvgrp(1),Web-Page-SN(1),maidocs web(10),00:00(1),00:00(1),ON(1),www(dot)maidocs(dot)com(2),dnat(5),second

(1), = the number of Commas

Cool down was 2 hours

I got the hardware built up to cable swap between the 169 and 171 with my changes done. Removed all the hyphens and Spaces in the the user named Aliases, Hosts, Services but not the remarks. All the changes work in 169

AsRock Rack C3558D4I-4L / 8Gigs RAM

IPFire is so good, I got a DDOS attack on my old firewall. We could do nothing. I built an IPFire system, 30mins of setting up the firewall. Everything was up, IPFire showed 3 trillion hits per minute. It dropped so many but We had webpages, Mail, FTP all running an users could get to everything again.

My old account I cannot logon with because I have Hyphens in the name. Old-IT-Guy and I could not use my email address. Also using my GMAIL account I could not set the password. I would get Something when wrong 404 error.

This little problem maybe one of my setting that 170 and 171 dos not like. If I find it I will let you know.

Here is something a bit odd. When testing outside with my phone I get timed out errors. 171

From inside I get to the webpages fine.169 but one. I have one webpage setup so one one user and inside can get to it. Using Host IP groups. But inside gets a IPFire Connection to failed. Returned (111) but dos the same in 169. but not 168. Note the it also fails from outside with 170 and 171.

Not sure if any clues here, Please note I am doing this Live with users needing intentet stuff. So getting information fast is a bit hard. and with the limit of post and a 2 hour cool down before I can post again.

Thanks, Ideas do help here. Out going is find. eveything works from inside even the hosted webpages and using the IPs of the hosted pages work. but from outside I am getting time out, not found, cannot find. But Ping works. I turned it on to test. but that one page. I deleted it and put it back. and Deleted everything about it, HOSTS, Services, Alias and put it all back with the same outcome. 169 outside works but 171 nope not working.

Removed all the Spaces, Hyphens, just Numbers and Letters now, for Aliases, Hosts, Services.Remarks.
I just need to swap cables to the 171 to test it.

iptables,firewall Options, Location Block are all defaut. nothing was changed.
Advanced Web Proxy Enbled and Transparent on green. Nothing else changed.

Squid (the web proxy) was updated in CU171 from 5.6 to 5.7 and from 5.5 to 5.6 with CU169.

Might be worth trying without the web proxy enabled to test if squid is involved in the problem. Understand that with people using the system that test may not be easy to do.

Post from another user had problems with pinholes from blue to green not working with CU171 but worked with CU169 but worked with CU171 if transparent proxy turned off.
https://community.ipfire.org/t/fw-pinholes-not-working-with-squid-transparent-proxy-on-blue-core-171/8840
The changes from squid 5.6 to 5.7 were just bug fixes so nothing that would be expected to cause the problem. As turning off the transparent proxy made his firewall rule work it would be worth a try if you could find a way to schedule the test on your system.

On my live system I am not using transparent with the web proxy.

I am hoping to be able to test out transparent proxy with pinholes on my vm testbed next week when my system is available again.

Removed all Hyphens, Spaces, Turned off Web Poxy, rebooted still cannot find the webpages. Going out is fine. The pages just timeout. Next I going to try and just start from scrach, Reinstall again. yet I have done this in 170 and it did not work. I even downloaded PFsense to learn it. I am hoping this works this time.

After clean install 171, Hand keyed everything in. No Web Proxy, Test at 5:30am Moved the cables, Ping to make sure I could see the server on both Orange and Green, Ping google, set the time server up, rebooted.Test one can I get to the internet from my computer. YES, Second test Mail, on Orange send and recieve YES, From inside can I get to webpages Yes, Now from my phone not on Wifi get to the webpages NO, Used GeoPeeker to see if they could see our webpages. NO Changed the Standard Networks from ANY to RED, no change, Rebooted, no change. Moved the cables back to 169 system, everything is up again. I looked up how long we been using this system. 2011 September. I have looked for any input changes that may have happen for entering. As I noted before how I am doing it, No one said of they changed that you should do it this way, Note I did see the Standerd Networks set to RED but in 169 that does not work. ANY does work. 171 note that ANY lets me get to webpages from inside but RED not at all. Note Orange I have to put a path out, Not seen anything about the GREEN needing this.if yes let me know, I can add it for the next test.

Why I hand keyed, My thinking is something in the backup maybe bringing something over I do not know about. or someone Coworker may have added, that does not effect 169 but does 170 and 171, I did Hand key the information in 170 and it did not work. I hoped that it maybe just that was the problem. Note, I had to change out the SSD for it started putting errors out about no able to write. I was hoping that also may have been the problem. New SSD and still the same. Out Going works fine. No access to webpages.

Test today fail, My next test is put a raspberry pi with a test page on it and host it from the orange side. everything on the orange side works. If that works, I have to put a ssh key on it and see if it still works. My thinking here is the SSH keys are keeping the RED from working because the IPs are not really on the Public side. Orange seems to work with the SSH keys. But I have to test this.

Test today, Raspbery PI page on the Orange, Worked.I think I am just going to move all my services over to orange DMZ. RED seems to not relay the SSL so the Certificates work. This could be why none of the pages, SFTP work.

Well, Seems the Public IP of the page falls back to the IP of IPFIRE Public Gateway. and the SSL Cert is looking for the IP return of the Webpages IP, This makes the SSL Cert fail.

Seem, I found the problem. Hardware to NEW. No Linux dirvers for Intel X533 NIC. I have to go find older hardware to run IPFire. Until drivers are made for Linux. Thanks for helping.

Hi Chuck can you please guide me how to create internet access firewall rules,
Red+Green

To make a rule, I would have to know what you are hosting. Web Page, SFTP, GAME Sever. You would have to know your Public IPs(Red) and your private IPs(Green), On a RED IPFire defauts Geeen can Access RED but RED cannot Access Green. So, you will only need the Rule to let RED access the PORTs and IP you want the Public to see. You can google Ports needed for about any game or service.

Under Network then Aliases and Make an Alias for the Public IP.
Under Firewall then Firewall Groups then Servies setup the Ports Needed if not listed. Then in Service Groups Make a Group of services if more then one service is needed.

Firewall rules. Make a new rule.
Source - Standard Networks (ANY) to let everyone in.
NAT Use NAT as Desitinatation NAT(Port Forwarding) - Firewall Interface (this is the Alias should be in the pulldown.)
Destination - Destination Address in the GREEN IP of the Computer you want other to access.
Protocol - Preset Servies you made or want to use. HTTPS for a HTTPS Webpage.
REMARKS - Note what this is for.
Checkmark Acticate Rule. (to turn it off uncheck it)
Save it now. Test it. Note it will have to be from the intentet side. I find things work from the inside fine but sometime not from the outside.

Got the new hardware in, I have IPFire installed. I will be testing it on Monday. For today I just be checking the settings over and wait till I have a good time to change over when the internet is not being used. The Hardware I got said FreeBSD would run on it. NIC drivers should be good…

New/OLD hardware fail. NOTE. The older hardware also fails. one it only has 2 NICs and we added the Orange so we needed 3 NICs had a USB to ethernet that worked till 170. So we updated to newer hardware and got it to new. Linux drivers for the NICs do not exist yet. The New/OLD hardware came with FreeBSD installed on it. Looked up the NICs and Drivers do exist for Linux. Orange works, Green Works, Green going to the internet Works. Red getting to webpages on Green Fail. We are still up and running with 169. I flipped the Orange so the page exist there. Odd it failed too. I used the information from NOTME to setup the Orange. Any ideas are welcome.

Todays test, I dropped back to the hardware with USB for the Orange. Still no access to anything on the Red per firewall settings. Hand keyed all the rules again. Backup, Test Failed, Restored from the 169 backup test failed. I can access from Green Side to the Public IPs and DNS names, Public side is Page Timed out. Fails to respond. 169 everything is GOOD still. I now have 8 hardware changes. All 8 work with 169 none work with 170 or 171. I started this on Nov 3, No one uses IPFire for incoming firewall traffic? or No one had moved forward to 171? Odd no responce for a long time here. but I will keep updating till I find an answer on my own. or someone else comes along with the answer.

Things I have noticed that breaks IPFire,
Intrusion Prevention System, restore noting works till you turn off Intrusion Prevention System re-setup the Intrusion Prevention System and start it again. and it working again.

Having to go back after failed firewall, 170 back to 169 you cannot install anything(ClamAV,Guardian) from the PAKfire menu. without triggering the update back to 170. or 171.

Seems, NO one has any ideas why hosting a webpage does not work in 170 and 171 but does in 169. I rebuilt, rekeyed, Googled, all I get it sould work. I have looked for odd things and found some and fixed them but did not fixt the “Webpage Timed out” then flip it back to 169 and it works again. Here the odd thing. I keyed in the firewall setting in 171 backup, restored into 169, had to fix small poblems but it works in 169. I rebuilding yet again. Hope to test soon.

Seems, you couldn’t explain/show your rules and system to users, which can and want help you.
IPFire has a lot of configuration possibilities, errors included, that it is necessary to describe your special system.
Features functioning in CU169 but not in CU171 may be wrong configs tolerated by older versions.