Specific port blocking for certain IPs


I want to prohibit access to red from an internal PC individual ports.
How do I do that?
In the mask I can only select the IP but not add a port.


My comment ( sorry, if you rate this as offending): RTFM. :wink:

1 Like

What is the problem when setting up an IPFire for the first time? You ask something stupid and don’t know why it’s stupid for others.

You ask about several aspects of your first setup, that’s ok.
But to answer, it is necessary to know the environment of the IPFire system. These informations did you never give.
So it is only possible to answer in a general manner.
Your actual problem is “deny traffic <IP>:<port1> to <WAN>:<port2>”. A special case of this problem is “deny access to external DNS servers” for port2=53.
For this problem you can find several postings in this community and an article in the wiki (which is our ‘manual’) also.

1 Like

First of all, I want to block the entire Internet access of individual network subscribers from green.
I hope this fits.

A second rule should then release individual ports e.g. 80

It is exactly the other way around as I wanted but that should be better because I do not have to search for used ports.

What interests me is how the processing of the rules is.
I assume that the first rule match interrupts the processing of the rules if the conditions are true.

Can anyone confirm this for me?

Yes, that is correct.

This is also not the way, DNS requests are denied.

Yes this is the behaviour iptables, the firewall engine of IPFire.
See also

You can also use IP addresses that do not go through the DNS.

That is enough information for me.

Thank you.

‘DNS deny’ is a special case of ‘block certain ports’, as described in an earlier post.

Go to Firewall - Firewall Groups

Press Services button
Give a name to the service and choose the protocol. If you want both tcp and udp you will need to create two services with different names.
I chose test1 for tcp and test2 for udp.
For both you can define a port or port range. If you want a range specify it as 55-2000 or 55:2000. In either case it will be entered as 55:2000.

Then press Service Groups button
Create a Group Name and add a remark. I used test for the name. Press Add and a dropdown box appears from which you can select the service you created.
So I selected test1 and pressed add, then selected test2 and pressed add.
This gives me a service group called test that contains specified ports for test1 with TCP and the same for test2 with UDP.

Go to Firewall - Firewall Rules

Press New Rule
Add the IP for the computer you want to block into the Source Address Box
Then choose for Destination Standard Networks - RED

Select preset on the protocol button and select Service Groups and select test from the dropdown box.
If you only want TCP or UDP but not both then you could select Services and select test1 or test2 or whatever names you have chosen.

Select DROP, define the rule number if you want it different to the default that is prefilled, add a remark etc and then press Add and then press Apply Changes.

That firewall rule should then stop your defined IP computer accessing your specified ports on red on either TCP and/or UDP.

1 Like