This wiki is a community-maintained resource about everything there is to know about IPFire.
Part of the IPFire Security Hardening Guide
This guide uses two scales:
|Impact (security benefit)||A. MAJOR||B. SIGNIFICANT||C. MINOR|
|Effort (to implement)||1. LOW||2. MEDIUM||3. HIGH|
See the Security Guide introduction for a more detailed explanation of the scale.
IPv6 is disabled by default in IPFire. For security reasons it is recommended that you do not enable it.
Although IPv6 may be the future of addressing on the internet, today most fixed-internet ISPs still provide an IPv4 address. IPv6 allows all devices on your network to be visible from the internet. It was long thought that searching for devices in your network wasn't viable, due to the high number of possible addresses. However it has recently been shown that there are smart ways around this.
Host services like email and web servers in a cloud environment and not on your internet connection. This will avoid making your network a target (as there won't be any interesting services visible) and significantly reduces the opportunities for an attack to be successful.
Although IPFire will run effectively in a virtual machine, it is ideal to run any security software (such as a firewall router) on a separate physical machine. Running IPFire on a physical machine removes the possibility that another VM or the virtualization environment could become compromised and in turn compromise your IPFire firewall or cause a denial of service by consuming resources (network, disk, CPU or memory).
IPFire is usually used in a position of trust as your internet gateway and if it is compromised it will be difficult to defend the rest of your network.
If you don't use it, block tor traffic as malware can use it for command and control purposes.
As with Tor, block all P2P protocols which are not used on your network.