What is IPFire?
IPFire is a dedicated firewall that can be installed in any network - from data center down to your home. It is secure, fast and very versatile. Besides from being a stateful inspection firewall it can work as a VPN gateway, analyze data packets with its Intrusion Prevention System (IPS), and comes with many Add-ons that extend its functionality further.
Who is IPFire for?
IPFire is known to run
- in data centres forwarding tens of gigabit a second
- in businesses from hundreds of employees down to home office workers
- as an IoT gateway in industrial applications
- at home
You will need some basic knowledge about how computer networks work and the team behind IPFire is kindly asking you to take security seriously. Please invest some time into researching best practices to get the most out of IPFire. All you need to know is to find in this wiki.
IPFire can be installed within minutes and is configured over a web user interface.
IPFire - The Operating System
IPFire is a whole operating system being installed on appropriate hardware. It is based on Linux but unlike a stock distribution like Debian or Fedora, IPFire is hardened and optimised for use as a firewall. Each component and software package that is being used is selected by the developers and built from its sources. Often those are patched to improve the security of the system and reduce attack surface. To give the maintainers this kind of flexibility, IPFire is not based on another distribution.
IPFire uses standard Linux components and packages ( patched for security ). These modules are configured as defined in their man pages ( usually in .conf files ).
IPFire itself is configured using the Web User Interface ( WebUI ), realised by a couple of programs ( .cgi files ). These programs hold their state and configuration in a bunch of 'internal' files ( mainly stored in /var/ipfire directory ).
The WebUI programs do the checking for legal settings and aim to store valid configurations only. It is the task of these programs also, to convert this internal settings to the standard .conf files ( usally if the 'save' button is pressed ).
This yields some implications:
- The IPFire internal configuration is checked for consistency by the WebUI only. A manual editing of these files can produce a faulty system.
- Modifications to the .conf files may be overwritten by the WebUI. If possible there are .conf.local files for these extra settings, which are included into the main .conf file.
Because the correctness isn't checked by the WebUI when editing these files directly, you must check the various log files for errors!
IPFire comes with a variety of features which allow it to run in many environments with very different requirements. Starting as a simple router, it can perform deep packet analysis, run helpful network management reports and also provides various services to the network.
- IPFire’s firewall is easy to use, yet powerful. Creation of groups of networks, hosts and services allows a single rule for large parts of the network to be defined in one go. Rate limitation functionality and logging make it perfect for hosting services in a data centre too.
- The Quality of Service keeps your Internet fast. Allocating the right amount of bandwidth for critical applications like VoIP calls is quickly done and you will never suffer bad call quality or slow-loading websites again. It can also throttle offending users.
- The Intrusion Prevention System provides deep packet inspection, checking them against a signature database for well-known malware and detecting suspicious behaviour to make your network more secure against more sophisticated attackers.
- The web proxy is one of IPFire’s most powerful features. Every client accessing the web will be checked for access, content can be cached to speed up browsing and it can even cache whole updates for operating systems like Microsoft Windows saving loads of bandwidth in larger networks. The URL Filter component is commonly used in schools for prevent students from accessing adult websites and it can stop malware too.
- If you are running infrastructure in more than one place you might want to connect it using VPNs. You can connect to your data centre or the cloud using IPsec or OpenVPN and upload your backups or connect remote workers to the servers sitting in the office. IPFire can use cryptographic acceleration that some appliances provide and totally secure tunnels with bandwidth up to 10 GBit/s are possible. Of course IPFire is compatible to other vendors like Cisco, Juniper, Lancom, and many more too.
- To keep your network secure and prevent DNS spoofing, IPFire employs an internal DNS proxy which uses DNSSEC to filter any attacks. It caches DNS responses to improve query performance and can use DNS-over-TLS (DoT) to speak securely to upstream name servers.