wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:options

Firewall Options

The firewall options page provides an easy way to modify different firewall options in a graphical way or to adjust the logging characteristics on multiple network packets. One of the most important point is to take control on the policy and the default behaviour of the forward and outgoing firewall.

Masquerading/NAT

This part has been moved to Masquerading/NAT

Logging

This section allows you to individualize the logging output of dropped network packets by your firewall.

Disabling logging makes it difficult to diagnose problems caused when packets are dropped. Take care when changing these options.

Log dropped NEW not SYN pakets

When a system is connected to the internet with a dynamic IP and the used address has been changed, you may receive traffic which was addressed to the former owner of this address. This could happen because in some cases the sender didn't get informed that the address of his recipient has been changed and network packets of established connections will be sent to you. IPFire will mark them as new but without a known connection. They will be dropped and logged by the firewall as “NEW not SYN” packets.

Log dropped input packets

Packets which have been dropped by the firewall input chain get logged. With this feature you can switch on/off the logging of them.

Log dropped forward packets

Like to the option above, but the logging of dropped forward packets can be adjusted.

Log dropped outgoing packets

Similar than input packets. The logging of dropped outgoing packets can be changed.

Log dropped portscan packets

This option can be used to disable the logging of all dropped packets which have been recognized to be potential bad TCP traffic.

Log dropped wireless input packets

This function allows you to disable the logging when traffic of unauthorized clients on the blue network zone got dropped.

Log dropped wireless forward packets

By using this option, the logging of dropped network packets from the blue to the green or orange zone can be disabled or re-enabled.

Firewall options for BLUE interface

This section only will be displayed after a blue network zone has been installed and configured. It can be used to change the firewall characteristics on this network zone for different known cases.

Drop all packets not addressed to proxy

When using this option, all network packets which are not designated for the web-proxy-server will become dropped.

Drop all Microsoft ports

This feature can be used to prevent clients on the blue zone from using Microsoft related services like SMB file shares or printing service. All requests to the network ports 135,137,138,139,445 and 1025 will be dropped.

Firewall settings

This sub-section offers the ability to customize the look and feel of some elements on the firewall rules and creation page.

Show colors in ruletable

When enabling this option coloured borders on all existing rules will be displayed. This feature can provide you a better overview of your ruleset.

Show colors in ruletable = off Show colors in ruletable = on (default)

Show remarks in ruletable

This option is used to hide all created remarks on the firewall rules page.

Show remarks in ruletable = off Show remarks in ruletable = on

Show empty ruletables

The corresponding ruletables are hidden unless at least one rule has been created. When enabling this option the empty tables also get displayed on the firewall rules page.

Show empty ruletables = off (default) Show empty ruletables = on

Show all networks on rule creation site

Various elements are hidden if they are not used like VPN zones or host/service groups on the page where new firewall rules can be created. This option can be used to display them anyway.

Show all networks on rule creation site = off (default) Show all networks on rule creation site = on

Application Layer Gateways

FIXME
This section is apparently new, but not documented yet

Application Layer Gateway
Secure use of iptables and connection tracking (conntrack) helpers
netfilter

FTP
FTP

H.323
H.323

IRC
IRC

PPTP
PPTP

SIP
SIP

TFTP
TFTP

Firewall policy & default behaviour

Detailed information about this very important tasks can be found here.

configuration/firewall/options.txt · Last modified: 2018/11/17 20:12 by Jon