wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:introduction

Introduction

Welcome to the introduction to the IPFire firewall. If you are working with firewalls for the first time, this is the guide that helps you to get an overview over how a firewall works and what you need to do to manage it.

Please note, that working on the firewall ruleset can create unwanted holes in the firewall. So please make sure that you know what you are doing and search for assistance in case you are unsure. Managing the IPFire firewall is not rocket science, but there are still some things that you need to learn before start and you should follow the best-practices at all times.

Firewall Rules

The core of a firewall are the firewall rules. All of them together are called ruleset. They allow and deny hosts to access hosts on other networks. By combining them, you can create powerful rulesets that are very complex. Maintaining complicated rulesets is often difficult, but IPFire comes with some features like the groups that help to reduce the number of rules you will need.

In Creating Firewall Rules (reference) you will find a comprehensive reference with all options there are to create firewall rules. If you want to create common setups like port-forwardings or DMZ pinholes click on the quick start guides to learn about that. Once you have created some rules, you will see these on the rules page in the firewall section.

How to manage my firewall?

If you are able to create, edit and delete firewall rules, you already know most of the things there are to do when you are managing your firewall. In addition to that, IPFire has got some extras that might come handy in some environments like P2P-Block.

There are some other pages that help you to see what is going on:

Features

Features of the IPFire firewall that distinguishes IPFire from other firewall solutions:

Easy to manage

The IPFire firewall is easy to manage. The graphical web user interface has been designed for beginners and also offers expert options so that powerful rules can be created.

Stateful Inspection Firewall

IPFire employs a Stateful Packet Inspection (SPI) firewall. That means that the firewall internally stores information about every connection and is then able to associate every packet that transits the firewall to the connection it belongs to.

This information is very helpful, because it is used to open the way for the response packets automatically. Therefore it is not require to create a rule into the opposite direction every time a port-forwarding is created. The firewall figures this out automatically.

Network Address Translation (NAT)

The GUI can be used to create Network Address Translation rules like port-forwardings (DNAT) and source NAT rules. With these two types of address translations, you are able to host server farms behind the firewall and masquerade any private networks or private IP addresses.

For some protocols that have difficulties to traverse NAT (like FTP or SIP), the connection monitoring will open paths for the data/media streams of those protocols.

Intelligent Intrusion Detection

The firewall can be paired with an Intrusion Detection System (IDS), which will actively scan and block any threats.

Internals

The IPFire firewall is based on the Linux netfilter Packet Filtering framework which is famous for its command line tool that is called iptables. It is paired with a P2P filter that enriches the feature set by allowing to filter certain P2P protocols.

configuration/firewall/introduction.txt · Last modified: 2014/08/10 21:28 by firefant