On this page detailed information about the default policy of a fresh installed IPFire firewall can be found. A fresh installed system doesn't have any custom created rules and no modifications on the default firewall behaviour have been done.

Default policy

The firewall policy sub-section on the firewall options page, offers the best way to adjust the firewall actions when network packets got dropped by the input firewall or if the "Forward" or "Outgoing" firewalls are set to "Blocked".

Each item individually can be configured to one of the following actions:

  • DROP - Network packages will be dropped directly.
  • REJECT - This has the same effect as 'DROP', in addition the remote host will get an ICMP error message.

Default firewall behaviour

The second section of the page, allows you to modify the Default firewall behaviour for the "Forward" or "Outgoing" connections.

Forward

The default value for the "Forward Firewall" is "Allowed". This means, in general, that any network packet is allowed to be forwarded to another network zone unless there is an existing rule preventing it. Such a rule can be added within basic zone policy or it can be customized to fit requirements for your various network zones.

When switching the "Forward Firewall" to "Blocked", the traffic will no longer be transfered between the zones. Please note, the traffic from internal zones to your IPFire's RED zone is also affected, but not the traffic of the IPFire system itself. You will then have to create firewall rules to re-allow desired packets between your internal network zones and the Internet.

Outgoing

The "Outgoing Firewall" offers a way to control traffic of the IPFire itself. It does not affect forwarded traffic from the other local network zones except IPFire acts as proxy. Default and strongly recommended setting is "Allowed"

Default zone ruleset

IPFire comes with a default ruleset which restricts the traffic between the individual network zones. The following table shows this limitations:

**** Direction **** Status
Red -> Firewall Closed, Use external access
Red -> Orange Closed. Use port forwarding
Red -> Blue Closed. Use port forwarding or VPN
Red -> Green Closed. Use port forwarding or VPN
Orange -> Firewall Closed, no DNS nor DHCP1 for Orange
Orange -> Red Open
Orange -> Blue Closed, use DMZ pinholes
Orange -> Green Closed, use DMZ pinholes
Blue -> Firewall Closed, use Blue Access
Blue -> Red Closed, use Blue Access
Blue -> Orange Closed, use Blue Access
Blue -> Green Closed, use Creating a Blue to Green Pinhole or VPN
Green -> Firewall Open
Green -> Red Open
Green -> Orange Open
Green -> Blue Open

  1. It is possible to assign a static IP to a dedicated DHCP server in the orange zone which can service the rest of the orange network. See Notes