On this page detailed information about the default policy of a fresh installed IPFire firewall can be found. A fresh installed system doesn't have any custom created rules and no modifications on the default firewall behaviour have been done.
Default policy
The firewall policy sub-section on the firewall options page, offers the best way to adjust the firewall actions when network packets got dropped by the input firewall or if the "Forward" or "Outgoing" firewalls are set to "Blocked".
Each item individually can be configured to one of the following actions:
- DROP - Network packages will be dropped directly.
- REJECT - This has the same effect as 'DROP', in addition the remote host will get an ICMP error message.
Default firewall behaviour
The second section of the page, allows you to modify the Default firewall behaviour for the "Forward" or "Outgoing" connections.
Forward
The default value for the "Forward Firewall" is "Allowed". This means, in general, that any network packet is allowed to be forwarded to another network zone unless there is an existing rule preventing it. Such a rule can be added within basic zone policy or it can be customized to fit requirements for your various network zones.
When switching the "Forward Firewall" to "Blocked", the traffic will no longer be transferred between the zones. Please note, the traffic from internal zones to your IPFire's RED zone is also affected, but not the traffic of the IPFire system itself. This setting may be useful for instance if you want to force the clients to browse the Internet only through the proxy. You will then have to create firewall rules to re-allow desired packets between your internal network zones and the Internet.
Outgoing
The "Outgoing Firewall" offers a way to control traffic of the IPFire itself. It does not affect forwarded traffic from the other local network zones except IPFire acts as proxy. Default and strongly recommended setting is "Allowed".
In very strict information security scenarios you may want to set it to "Blocked" and allow only required outbound traffic with additional firewall rules. Be warned however that this would require a careful and rather detailed firewall configuration in order to avoid connection issues, see Firewall configuration recommendations for IPFire users. If you use the proxy server to browse the Internet, you will also need to allow outbound HTTP and HTTPS traffic through ports 80 and 443.
Default zone ruleset
IPFire comes with a default ruleset which restricts the traffic between the individual network zones. The following table shows this limitations:
| **** | Direction | **** | Status |
|---|---|---|---|
| Red | -> | Firewall | Closed, Use external access |
| Red | -> | Orange | Closed. Use port forwarding |
| Red | -> | Blue | Closed. Use port forwarding or VPN |
| Red | -> | Green | Closed. Use port forwarding or VPN |
| Orange | -> | Firewall | Closed, no DNS nor DHCP1 for Orange |
| Orange | -> | Red | Open |
| Orange | -> | Blue | Closed, use DMZ pinholes |
| Orange | -> | Green | Closed, use DMZ pinholes |
| Blue | -> | Firewall | Closed, use Blue Access |
| Blue | -> | Red | Closed, use Blue Access |
| Blue | -> | Orange | Closed, use Blue Access |
| Blue | -> | Green | Closed2, use Creating a Blue to Green Pinhole or VPN |
| Green | -> | Firewall | Open |
| Green | -> | Red | Open |
| Green | -> | Orange | Open |
| Green | -> | Blue | Open |
-
It is possible to assign a static IP to a dedicated DHCP server in the orange zone which can service the rest of the orange network. See Notes ↩
-
If the proxy is activated and used for both the Green and Blue zones, and the Green zone must be isolated also inside the proxy, see instructions. ↩