The firewall options page provides an easy way to modify different firewall options in a graphical way or to adjust the logging characteristics on multiple network packets. One of the most important point is to take control on the policy and the default behavior of the forward and outgoing firewall.
This part has been moved to Masquerading/NAT.
This section allows you to individualize the logging output of dropped network packets by your firewall.
When a system is connected to the internet with a dynamic IP and the used address has been changed, you may receive traffic which was addressed to the former owner of this address. This could happen because in some cases the sender didn't get informed that the address of his recipient has been changed and network packets of established connections will be sent to you. Also, sometimes attackers try to bypass very poorly written firewalls by arbitrarily emitting packets without the SYN flag. IPFire will mark them as new but without a known connection. They will be dropped and logged by the firewall as "new not SYN" packets which will show in the Logs as
In addition to the "new not SYN" check, IPFire tracks the flow of established connections by using
conntrack, to ensure attackers cannot inject their own packets into the network, even if they managed to bypass "new not SYN". Also, some protocols establish connections related to others, which look like new ones to cheap packet filters, but are actually part of an established network communication.
conntrack flags packets not belonging to any already established connection as being
INVALID, and drops them. This option allows you to toggle logging for such packets. They will have the
DROP_CTINVALID logging prefix.
Packets which have been dropped by the firewall input chain get logged. With this feature you can switch on/off the logging of them.
Like to the option above, but the logging of dropped forward packets can be adjusted.
Similar than input packets. The logging of dropped outgoing packets can be changed.
This option can be used to disable the logging of all dropped packets which have been recognized to be potential bad TCP traffic, such as being poorly syntactically invalid. Port scanners usually emit such packets.
This function allows you to disable the logging when traffic of unauthorized clients on the blue network zone got dropped.
By using this option, the logging of dropped network packets from the blue to the green or orange zone can be disabled or re-enabled.
This option allows you to enable or disable logging of packets being detected as a network spoofing attempt, or arriving on interfaces IPFire knows they cannot legitimately arrive on.
Part of this section only will be displayed after a blue network zone has been installed and configured. It can be used to change the firewall characteristics on this network zone for different known cases.
Enabling this option will cause any network traffic from or to an IP address being flagged as hostile to be dropped and logged. The list of IP networks being affected by this primarily comes from Spamhaus DROP, defining "hostile networks" as "netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers)". The rationale behind this is to provide IPFire uses with a basic protection against the "baddest of the bad" areas of the internet, being enabled by default.
IPFire distributes these list via the IPFire Location database, and uses the special country code
XD in the web interface for them. It is also possible to create firewall rules using this country code, but not necessary if this option is enabled.
This option applies to the red interface only, and it is highly recommended not to disable it.
When using this option, all network packets which are not designated for the web-proxy-server will become dropped. This option applies to the blue interface only.
This feature can be used to prevent clients on the blue zone from using Microsoft related services like SMB file shares or printing service. All requests to the network ports 135,137,138,139,445 and 1025 will be dropped. This option applies to the blue interface only.
This sub-section offers the ability to customize the look and feel of some elements on the firewall rules and creation page.
When enabling this option coloured borders on all existing rules will be displayed. This feature can provide you a better overview of your ruleset.
|Show colors in ruletable = off||Show colors in ruletable = on (default)|
This option is used to hide all created remarks on the firewall rules page.
|Show remarks in ruletable = off||Show remarks in ruletable = on|
The corresponding ruletables are hidden unless at least one rule has been created. When enabling this option the empty tables also get displayed on the firewall rules page.
|Show empty ruletables = off (default)||Show empty ruletables = on|
Various elements are hidden if they are not used like VPN zones or host/service groups on the page where new firewall rules can be created. This option can be used to display them anyway.
|Show all networks on rule creation site = off (default)||Show all networks on rule creation site = on|
Detailed information about this very important tasks can be found here.