I have set up IPFire with IPS/IDS turned on, and the only firewall rule I have is to force the use of the IPFire DNS. I am not using web proxy (Squid) or the URL Filter because even with WPAD, I can’t get it to consistently work and properly filter content.
I am not running a VPN (outbound or inbound). The use case is a family home.
Since I only have one firewall rule, what is the state of security of my setup? Am I at major risk without building more rules? I ask because up to this point, I am only connecting my IPFire box while I am working on it and trying to learn. When I am finished working on it, I switch back to my old ASUS router because I am not sure if my IPFire box is properly set up to protect my network.
Do you know if your ISP modem is set up as bridge mode, or as a gateway/router mode ?.
If the latter, then it typically has it’s own simple firewall (which can be disabled in the configs but should be left on) that can act as the primary block against the bulk of the outside world before it even gets to ipFire.
That is the layout I use and works great for home. So even with the out-of-the-box default settings of ipFire, which are already pretty hardened, you can feel safe and play around with hardening its security features even more.
Actually, no there is no ISP modem in front of my IPFire box. I have fiber to the home and set up my IPFire box with a PPPoE VLAN connection direct to my fiber ONT.
Hello and welcome. The ipfire baseline is in the firewall options. There are three lists: input, forward and outbound. At least for me forward and outbound are set as allow while input is DROP. So ipfire will drop ANY unsolicited input as there are no ports open on red with a default install. Of course it will allow Incoming data on already established connections. For connections from your firewall (outbound) and from your lan to the internet (forward) it will allow ANY connection. That is - as @pmueller wrote in the article cited from you - the same behaviour that is found in consumer modem/routers. The next post would be to set outbound to DROP and create rules to allow DNS/NTP/proxyfrom your ipfire. Setting forward to DROP is something I struggle though. There are too many devices in a home network that have difficulties working through a proxy. And hunting for the needed ip/ports is pretty exhausting. As is blocking traffic for devices from family members that don’t care much about security too.
generally speaking, one size never fits all - certainly not when it comes to IT security.
In your case (securing a home network, but a strict firewall ruleset is not yet in place and/or causes trouble), I think configuring the IPS in a good way would make sense as a next step. That way, you can at least catch the most common threats, malware and C&C communication, without having to configure firewall rules first.
If your IPFire installation was set up before Core Update 163, please also ensure the “drop hostile” feature is enabled. This is a “no brainer”, dropping all traffic from and - more importantly - to networks posing a technical threat. It is designed to be enabled everywhere, but we left it disabled on existing installations to avoid interfering with our users’ configuration.
