Welcome to the introduction to the IPFire firewall. If you are working with firewalls for the first time, this is the guide that helps you to get an overview over how a firewall works and what you need to do to manage it.
Please note, that working on the firewall ruleset can create unwanted holes in the firewall. So please make sure that you know what you are doing and search for assistance in case you are unsure. Managing the IPFire firewall is not rocket science, but there are still some things that you need to learn before start and you should follow the best-practices at all times.
The core of a firewall are the firewall rules. All of them together are calledruleset. They allow and deny hosts to access hosts on other networks. By combining them, you can create powerful rulesets that are very complex. Maintaining complicated rulesets is often difficult, but IPFire comes with some features like the Firewall Groups that help to reduce the number of rules you will need.
In Creating Firewall Rules (reference) you will find a comprehensive reference with all options there are to create firewall rules. If you want to create common setups like Creating a Port-Forward Rule or Creating a DMZ Pinhole, click on the quick start guides to learn about that. Once you have created some rules, you will see these on the rules page in the firewall section.
If you are able to create, edit and delete firewall rules, you already know most of the things there are to do when you are managing your firewall.
In addition to that, IPFire has got some extras that might come handy in some environments like P2P-Block.
There are some other pages that help you to see what is going on:
Features of the IPFire firewall that distinguishes IPFire from other firewall solutions:
The IPFire firewall is easy to manage. The graphical web user interface has been designed for beginners and also offers expert options so that powerful rules can be created.
IPFire employs a Stateful Packet Inspection (SPI) firewall. That means that the firewall internally stores information about every connection and is then able to associate every packet that transits the firewall to the connection it belongs to.
This information is very helpful, because it is used to open the way for the response packets automatically. Therefore it is not require to create a rule into the opposite direction every time a port-forwarding is created. The firewall figures this out automatically.
The WUI can be used to create Network Address Translation Reference rules like port-forwarding (DNAT) and source NAT rules. With these two types of address translations, you are able to host server farms behind the firewall and masquerade any private networks or private IP addresses.
For some protocols that have difficulties to traverse NAT (like FTP or SIP), the connection monitoring will open paths for the data/media streams of those protocols.
The firewall can be paired with an Intrusion Prevention System (IPS), which will actively scan and block any threats.
The IPFire firewall is based on the Linux netfilter Packet Filtering framework which is famous for its command line tool that is called
iptables. It is paired with a P2P-Block that enriches the feature set by allowing to filter certain P2P protocols.