Webgui access from red


can somebody explain me, what have i todo when i want access the webgui from the red site?
Current i dont have access to the webgui.


Do that with port 444: https://wiki.ipfire.org/configuration/firewall/rules/port-forwarding/red_to_server_on_green

Source: Network RED -> Destination NAT -> Destination: Firewall ALL

Destination Port 444

Is there any need to expose IPFIRE’s administration GUI to everybody from outside the world? This would be very dangerous! - If you need to access your firewall from RED using a dedicated system (laptop e.g.) or a small number of systems: configure an OpenVPN roadwarrior-connection to GREEN and access the GUI from here - this would be the most secure way.


I can agree with suggestions to @baruch234.
Until GeoIP worked correctly, i downsized the access to 444 port on RED only from IP of my country.
And for several reasons, do not expose admin interface is a nice and safe setup.

Therefore… if:

  • webgui is correctly designed for login in a secure way (I bet that’s so)
  • the password is a good one and not a crapword
  • you have a backup admin user without a “well known name”
  • you have backup of logs and config available
  • there’s a Fail2ban mechanism to avoid brute force (should be a nice add to IPFire)

keeping accessible the admin interface from internet is not a wise idea, but should not be like playing with lighter between tanks of gasoline

Instead of fail2ban will guardian drop any failed login attempts above three

GeoIP is not working atm (list blank).

I think it is no good idea to search for a solution for admin access from RED. Administation should be done from GREEN ( or BLUE ). This is secure zone.
There are ways to allow access to LAN from outside for dedicated systems ( VPN, SSH tunnel ).
Use this to do a secure remote administration.

1 Like

I use the ssh login with “public key based authentication” only, and port forwarding for that purpose.

1 Like

I think that is the exact description of my “SSH tunnel” topic. Didn’t use it for years.
Nevertheless, one should establish exactly one secured access from outside to the internal net(s) for dedicated persons/devices. Thus access can be monitored/administrated without much overhead and complexity.

i found for me a solution :wink:

Hi Bernhard, do you have a link for the SSH tunnel discussion? Since the last update I cannot get it working. I would like to have it back as an alternative to VPN when/if it stops working (which it resently has done). Thanks