Restrict an ip address

Is it possible to restrict an IPFIRE-dhcp connected machine on the internal LAN to connect only to ipfire and to only communicate to Ipfire which provides the DNS IP. All the other servers on the LAN are static.

This machine needs to be on the lan to use internet and connect with only firewall and it is not trusted.

Any idea if I can restrict this machine connected to the LAN and DNS IP obtained from IPFIRE-DHCP to basically not be able to connect to any other server on the lan and only send data to the Firewall (Ipfire) ?

Hi,

you can. We are developing a firewall here, aren’t we? :wink:

Please refer to the documentation on how to create firewall rules matching your needs. Further information regarding a secure configuration of IPFire’s firewall engine in general is available here.

Thanks, and best regards,
Peter Müller

1 Like

I was very good with ipchains. They then went and introduced Iptables which is un-understandable.
I was hoping that IPFire already has ready made functions for common tasks such as the one I listed.
The manual requires in depth knowledge of iptables which if I add rules that I do not understand I will break the security of a very good IPFire firewall that served me well the last 3 years

I dont have the confidence to add iptables code. It is non-sensical.

You could possibly add a Blue zone for that device
Blue would be a vlan.

Thanks Shaun I will try to read up how to do it.
I currently run Red and Green interfaces, and tried to see if I can easily add another interface, I have 3 eth cards on this server. In the IPFire http control panel, I could not find to add the interface there. I then ssh’d as root and ran setup. I can do it there, but then I have to reconfigure my Green and Red also. That is a bit dangerous as they work great and I dont want to fiddle with them.

Is there any other way to easily add a Blue or Orange interface without reconfigureing the Red and Green ?

If you keep the same mac assignment I would think nothing should change.

1 Like

This is not possible because the traffic not reach IPFire in a swithed network.

You need to put it in an seperated lan or at least vlan if the switches support vlan. (Keep in mind that IPFire can only handle 3 lans.)

1 Like

login to console or via ssh. Here you can run “setup” an add the blue zone and assign the card to it.

1 Like

Thanks Arne, I will do just that and put it on a separate interface.

I did mention that I ssh’d into Ipfire and ran setup there in my reply to Shaun.

the problem is to make sure Red + Green is not altered and there seems to be no way to leave them as is and I have to reconfigure them again just to add the Blue interface adding risk. It is dead simple, but still.

I will do that once I made a backup disk of the firewall. My current hot swap backup is a bit old. I dont have much time to add the green interface before the firewall needs to be up again.

But thanks to all who responded, I have a better solution now and dont have to go through ipchains trickery to isolate these few machines. I never needed or knew what the Blue interface did until Shaun explained it so by his explanation that is the right thing to do.

Normal you can add a zone without changes on red and green. Only Blue must be a different subnet.

1 Like