On this page detailed information about the default policy of a fresh installed IPFire firewall can be found. A fresh installed system doesn't have any custom created rules and no modifications on the default firewall behaviour have been done.
Default policy
The firewall policy sub-section on the firewall options page, offers the best way to adjust the firewall actions when network packets got dropped by the input firewall or if the "Forward" or "Outgoing" firewalls are set to "Blocked".
Each item individually can be configured to one of the following actions:
- DROP - Network packages will be dropped directly.
- REJECT - This has the same effect as 'DROP', in addition the remote host will get an ICMP error message.
Default firewall behaviour
The second section of the page, allows you to modify the Default firewall behaviour for the "Forward" or "Outgoing" connections.
Forward
The default value for the "Forward Firewall" is "Allowed". This means, in general, that any network packet is allowed to be forwarded to another network zone unless there is an existing rule preventing it. Such a rule can be added within basic zone policy or it can be customized to fit requirements for your various network zones.
When switching the "Forward Firewall" to "Blocked", the traffic will no longer be transfered between the zones. Please note, the traffic from internal zones to your IPFire's RED zone is also affected, but not the traffic of the IPFire system itself. You will then have to create firewall rules to re-allow desired packets between your internal network zones and the Internet.
Outgoing
The "Outgoing Firewall" offers a way to control traffic of the IPFire itself. It does not affect forwarded traffic from the other local network zones except IPFire acts as proxy. Default and strongly recommended setting is "Allowed"
Default zone ruleset
IPFire comes with a default ruleset which restricts the traffic between the individual network zones. The following table shows this limitations:
| **** | Direction | **** | Status |
|---|---|---|---|
| Red | -> | Firewall | Closed, Use external access |
| Red | -> | Orange | Closed. Use port forwarding |
| Red | -> | Blue | Closed. Use port forwarding or VPN |
| Red | -> | Green | Closed. Use port forwarding or VPN |
| Orange | -> | Firewall | Closed, no DNS nor DHCP1 for Orange |
| Orange | -> | Red | Open |
| Orange | -> | Blue | Closed, use DMZ pinholes |
| Orange | -> | Green | Closed, use DMZ pinholes |
| Blue | -> | Firewall | Closed, use Blue Access |
| Blue | -> | Red | Closed, use Blue Access |
| Blue | -> | Orange | Closed, use Blue Access |
| Blue | -> | Green | Closed, use Creating a Blue to Green Pinhole or VPN |
| Green | -> | Firewall | Open |
| Green | -> | Red | Open |
| Green | -> | Orange | Open |
| Green | -> | Blue | Open |