IPFire-Logo
Home
About
Downloads
Support
Development
Planet
Translations:
  wiki.ipfire.org
  en:configuration:firewall:outgoingfirewall
 
Table of Contents

Outgoing Firewall

In here you have the option, to control the connections from the inside (LAN and from IPFire) to the outside ( WAN ). It is possible to allow, to prohibit and to regulate both. The “Outgoing Firewall” of the Webgui offers 3 different modes to adjust your outgoing network traffic. First, it is important to consider which mode you used:

Modes of the Outgoing Firewall

  • Mode 0 : “All is allowed”, all traffic coming from the LAN and from the IPFire to the Internet are allowed. In this mode no rules can be edited and the p2p-block (see below) is not available.
  • Mode 1 : “Everything is forbidden which is not allowed”, prohibits all traffic coming from the LAN and from the IPFire to the Internet, with the exception of the rules that you created (Allow rules). Indicated by the green hook.
  • Mode 2 : “Everything is allowed which is not forbidden”, allows all traffic coming from the LAN and the IPFire to the Internet, with the exception of the rules that you created (Deny rules). Indicated by the white cross in a red circle.

Add rule

In Mode 1 or 2, two different areas will be opened by a click on the button “Add Rule”, in here the IPTables rules can be edited or added:

1a_outgoing_firewall_rule.jpg

In the first menu “add rule” you can specify your custom IPTable rules via the GUI of the webinterface, in here it is also possible to modify created rules subsequently.

Grafical example of Mode 2 (Deny Rule):

2.outgoing_firewall_add-rule.jpg

  • Description = The name of the rule should describe the rule but it is arbitrary.
  • Protocol = The agreement on the way in which data are exchanged.
  • Source = Regulates the outbound LAN traffic from green, blue, orange zones and also the OpenVPN interface over a specifiedIP, MAC addresse or predefined IP/MAC groups ( see firewall groups ) and also of complete subnets. The “Internet IP” controls the outgoing trafic of the red IP address and thus the internal IPFire processes like for example the Webproxy (see example below “If the clients shall surf only through the webproxy”).

In the field “source IP or Net”, individual IPs can be placed, with for example 192.168.0.2. Also whole subnets like 192.168.0.0/24 can be registered. In the field “Source MAC Address” the hardware address of the network adapter takes place outlined in a pair of numbers separated by a ” : ”(colon/double dot) for example 08:00:20:ae:fd:7e

  • Logging = In here the event logging that are associated with the rule can be switched on or off. It may be advisable to switch off the logging for some rules to prevent a high, unnecessary traffic in the log. But for an overview or a eventual troubleshooting the logging can also be very helpful. The logging can generally be enabled under the created rules in the last row with On and disable with Off, a click on the floppy disk icon stores the new settings.

outgoingfw_activate_logging_.jpg

  • Destination IP or Net = Specifies a possible target in the Internet and is optionally, (by no entry all addresses are allowed). It is the same syntax as under “Source”.
  • Destination port(s) = Certain services uses by the IANA defined port numbers for communication, in here you can specify this ports or whole port ranges as well as individual selected ports. The address range is 16 bit large, which means it goes from 0-65535.

It can contain individual ports such as 80 , or possibly all ports 0:65535 (ranges will be separated with a double dot). Use the comma for multiple ports in a rule eg 587,993,995,465 (examples for imaps, pop3s and smpts) which also not have to follow then in a numerical order to each other (different to ranges).

*Time = The rules can be activated during a specific time (From To), but also to different days a week. From 0:00 to 0:00 is around the clock

quick add

Since there are 65535 ports, and each service uses special ports with different protocols, it is not always easy to have all the specifications in mind. In IPFire the main IPTable rules are predefined and deposited. Over the “quick add” menu the rules can be modified with a lesser extent as under the above explained “add rule” menu (but subsequently re-editable over “add rule” if necessary) and by clicking on the red pin under “Action” the rule is already added.

Shortened extract from quick add:

3.outgoing_firewwall_quickadd.jpg

p2p-block

The p2p-block is only in Mode 1 or 2 available

In addition to this you even can use the options to block well known p2p (filesharing) connections. This is very useful if you want to …

let your neighbor use your wireless connection, but you don’t want him to do some illegal filesharing, thereby wasting your bandwidth!

Here are some little examples

One could use the following services:

  • Surf the Internet from LAN & Wireless (/ / Port 80,443,53 / /)
  • Retrieve emails from the LAN (/ / Port 110,995,25 / /)
  • FTP connections from the LAN to the Internet (/ / Port 20,21,115 / /)
  • Synchronize the time of the clients from the LAN & WLAN (/ / Port 123 / /)
  • Chat on the IRC (/ / Port 194,6667 / /)
  • SSH and telnet connections from the LAN to the Internet (/ / Port 22,23 / /)
  • Assign Dhcp to the clients on the LAN (/ / port 68 / /)
  • From SSH and HTTPS on remote IPFire Systems (/ / Port 222,444 / /) from LAN

A graphic example of a possible basic configuration:

If the Clients shall surf only through the webproxy

To use this configuration, the “Outgoing Firewall” needs to operate in “Mode 1”!

If it should be prevented that the clients bypass the proxy and therefore the proxy logs, the following rules should be created:

As “Source” the “Internet IP” (Network → red) have to be selected.

  • Port 80 (http) tcp
  • Port 443 (https) tcp
  • Port 53 (DNS) udp und tcp –> (If IPFire establish the DNS connection)
  • Port 123 (NTP time server) udp –> (if the clients get the time from IPFire)

Grafical example for a possible minimal configuration:

configuration_firewall_outgoingfirewall_disable_proxy_bypass.jpg

So that everything works, the proxy needs to operate in non transparent mode, also the proxy should be registered in the client system (network settings) and equally in the browser settings (if the browser don´t refer the settings from the system preferences)

If there is the need for special outgoing services (ports) for example the usage of a RDP (remote desktop protocol) connection, it is possible to create a allow rule for port 3389/tcp and the source “All” (the service is usable from every zone, Source IP, Source MAC, etc). If the service should only be accessible from one zone (for example green), or a specific IP, MAC addres, specify this over “Add rule” and the pull down menu “Source” in the outgoing firewall.

en/configuration/firewall/outgoingfirewall.txt · Last modified: 2012/02/14 21:52 by SaRA
Recent changes RSS feed Creative Commons License Valid XHTML 1.0 Valid CSS Driven by DokuWiki