Welcome to the introduction to the IPFire firewall. If you are working with firewalls for the first time, this is the guide that helps you to get an overview of how a firewall works and what you need to do to manage it.
Please note, that working on the firewall ruleset can create unwanted holes in the firewall. So please make sure that you know what you are doing and search for assistance in case you are unsure. Managing the IPFire firewall is not rocket science, but there are still some things that you need to learn before you start and you should follow recommended practices at all times.
Firewall Rules
The core of a firewall is the firewall rules. All of them together are called the ruleset. They allow and deny hosts to access hosts on one side of the firewall to access hosts on other networks. By combining firewall rules, you can create powerful rulesets that solve complex problems. Maintaining complicated rulesets is often difficult, but IPFire comes with some features like the Firewall Groups that help to reduce the number of rules you will need.
In Creating Firewall Rules (reference) you will find a comprehensive reference with all options there are to create firewall rules. If you want to create common setups like Creating a Port-Forward Rule or Creating a DMZ Pinhole, click on the quick start guides to learn about that. Once you have created some rules, you will see these on the rules page in the firewall section.
How to manage my firewall?
If you are able to create, edit and delete firewall rules, you already know most of the things there are to do when you are managing your firewall.
There are some other pages that help you to see what is going on:
- Status
- Logging
Features
Features of the IPFire firewall that distinguishes IPFire from other firewall solutions:
Easy to manage
The IPFire firewall is easy to manage. The graphical web user interface has been designed for beginners and also offers expert options so that powerful rules can be created.
Stateful Inspection Firewall
IPFire employs a Stateful Packet Inspection (SPI) firewall. That means that the firewall internally stores information about every connection and is then able to associate every packet that transits the firewall to the connection it belongs to.
This information is very helpful, because it is used to open the way for the response packets automatically. Therefore it is not necessary to create a rule into the opposite direction every time a port-forward is created. The firewall figures this out automatically.
Network Address Translation (NAT)
The WUI can be used to create Network Address Translation Reference rules like port-forwarding (DNAT) and source NAT rules. With these two types of address translations, you are able to host server farms behind the firewall and masquerade any private networks or private IP addresses.
For some protocols that have difficulties to traverse NAT (like FTP or SIP), the connection monitoring will open paths for the data/media streams of those protocols.
Intelligent Intrusion Prevention
The firewall can be paired with an Intrusion Prevention System (IPS), which will actively scan and block any threats.
Internals
The IPFire firewall is based on the Linux netfilter Packet Filtering framework which is famous for its command line tool iptables
.