Install IPFire Linux Firewall

  Uncategorized

Introduction

IPFire is an Open Source Linux-based firewall distribution that can be configured to provide additional security for your data center. It contains VirtIO kernel modules and offers excellent performance on the KVM hypervisor.

Requirements

The system requirements for IPFire are quite modest. It is recommended that IPFire be configured with at least:

  • 1 Processor Core
  • 1GB RAM
  • 4GB HDD/Disk Storage
  • 2 Network Interfaces

If you wish to retain a significant amount of activity logs or anticipate installing a number of add-on packages (via pakfire) please allocate additional disk storage space.

It is recommended that a static/reserved IP address be assigned to the WAN/Public interface.

Reserve IP Address

Some additional information on the process of reserving an IP address can be found in our articles Adding Secondary Virtual IP Addresses and Static IP Assignment

Preparation

IPFire is available for download at http://downloads.ipfire.org.

As of this writing, the current version available is “IPFire 2.17 – Core Update 93” which can be found at:

http://downloads.ipfire.org/release/ipfire-2.17-core93

Download the Installable CD image

Once we have it downloaded, we will need to upload it via FTP to the appropriate ProfitBricks data center so that it will appear in the Image Manager inside the DCD. It will then be available under “Own Images” for use when provisioning a server.

Upload IPFire ISO

Create a data center if you don’t already have one setup.

Create a data center

Now that we have the image available, go ahead and add a Composite Instance in your data center. For this tutorial, we will assign one processor core, 2GB of RAM, and create a 5GB hard disk volume. You can scale those resources as you see fit.

Create a Composite Instance in your data center

Create a new CD-ROM and select “ipfire-2.17.i586.full-core93.iso” from “Own Images”:

Create new CD-ROM

Make sure and check the “Boot from Device” option:

Check "Boot From Device" option

This is what your “Storage” tab will look like:

Storage tab

Now we will add the two network interfaces. Add a name of “WAN” for “NIC 0” and choose the IP address we reserved earlier from the “Primary IP” drop-down menu. Use “Add NIC” to create “NIC 1” and name it “LAN”. It should end up looking like this screenshot:

Add the two network interfaces

Go ahead and provision the changes.

IPFire Installation

Once it has been provisioned and the server is booted, we will proceed with the install using the remote console inside the DCD.

Install Console

Choose your language, accept the license agreement.

Firstboot Language Select

Proceed through the install.

Prepare HDD

Choose the “ext4 Filesystem” unless you have a good reason to prefer one of the other options.

Choose ext4 filesystem

The install will continue and finish quickly.

Install progress

Basic Configuration

When complete, it will reboot and using the remote console via the DCD we will need to complete the basic setup.

Confirm your language choice.

Firstboot Language Select

You will be prompted on similar looking screens for ‘Timezone’, “Hostname” and “Domainname”.

On the next screen, you’ll set a root password which will be used when accessing the IPFire server via SSH.

IPFire set root password

Right after setting the root password, a similar looking screen will prompt you to set an admin password which will be used to access the IPFire web interface. It is recommended to set unique passwords for root and admin rather than using the same one for both users.

The characters you type will not echo to the console screen, so be careful as you are typing to ensure that the passwords match.

Accept the default “GREEN + RED” setting for “Network configuration type”:

Firstboot Language Select

We can refer back to the DCD to get the MAC information needed to complete the “Assigned Cards” section.

Configure Assigned MACs

We want to match up the MAC to the appropriate interface. The RED interface is our WAN or Public interface using the reserved IP address.

Configure Red Address

The GREEN interface is our LAN or Private interface which will be assigned a non-publicly routable IP address range by default.

Configure Green Address

We will set our DNS resolver address to be the one available at the ProfitBricks facility where we provisioned our data center. In this tutorial we used the Las Vegas Developer Cluster, so the Primary DNS Address is 69.194.131.41. For the Secondary DNS Addresswe will just use one of Google’s public DNS servers. The Default gateway should be set to your reserved IP address, only ending in .1, so for the tutorial we will set it to 162.254.27.1 as shown below.

Configure DNS and Gateway

DHCP Server Configuration — Do not enable this unless you need it for some specific reason. Having your firewall hand out IP addresses via DHCP is not a typical configuration for use in a data center. It would be appropriate to enable when using IPFire to protect a home or office network.

Setup is now complete.

Note It is possible to return to this setup interface later on by running setup after logging in as root.

Use the DCD to remove the CD-ROM and set the server to boot from the HDD.

At this point we can access the web interface one of two ways:

1) Configure a VM that has a browser available and attach it to the LAN. Use the remote console to open a browser inside that VM and access the IPFire web interface on the private address.

2) Make a change to the IPFire firewall configuration so that we can access the web interface on the Public/WAN/RED interface. Leaving this permanently open is not the ideal solution security wise, but will allow us to make additional configuration changes such as setting up a VPN. Once the VPN is active, then we can disable external access to the web interface and utilize the VPN to access the web interface running internally.

The changes necessary for method two are: Use the DCD’s remote console to log into IPFire as the root user using the password created during the install.

Locate the section of /etc/init.d/firewall starting at line 198 that handles default access to the web interface on the GREEN/LAN interface. It should look like this if you have line numbers enabled in vi:

197         # localhost and ethernet.
198         # Always allow accessing the web GUI from GREEN.
199         iptables -N GUIINPUT
200         iptables -A INPUT -j GUIINPUT
201         iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT

We are going to add a line to allow access on the RED/WAN interface.

# Allow accessing the web GUI from RED
iptables -A GUIINPUT -i "${RED_DEV}" -p tcp --dport 444 -j ACCEPT

If your local workstation has a static IP address, you could scope access to just your specific IP by adding -s "Client IP Address". The lines to add would be:

# Allow accessing the web GUI from RED for a specific IP
iptables -A GUIINPUT -i "${RED_DEV}" -s "YourIPAddress" -p tcp --dport 444 -j ACCEPT

This screenshot shows the new lines in the file:

Enable Web Interface Access on RED

now run /etc/init.d/firewall restart to apply the rule change.

Web Interface

We should now be able to access the IPFire web GUI using the public IP address assigned to RED. There will be a SSL certificate warning due to the self-signed SSL certificate. You will need to add an exception or otherwise bypass that warning. The steps for doing so will vary according to your browser.

IPFire Web Interface Home

Testing

As a quick example, we will enable SSH access to the IPFire server and add a rule to permit the connection. For enhanced security, the SSH daemon is not running on IPFire by default. This is good and should remain configured that way for your production setup. However, you may find having external SSH access is helpful during the configuration, testing, and setup process.

First we need to enable SSH via the Web Interface. IPFire has SSH configured to listen on port “222” rather than the standard SSH port “22” by default. On the System menu, select SSH Access.

IPFire add ssh access

Check the SSH Access option, and then Save

IPFire add ssh access

Now we need to add a rule to allow the connections. From the Firewall menu, choose Firewall Rules and use the New rule button to create a new rule. In this example, we are specifying that we want to allow connections from a single source IP which is populated with our admin workstation’s public IP address. The destination is set as the RED firewall interface. The protocol is set to TCP, and the destination port is: 222. We have also added a “Remark:” so that we will remember what this rule is for.

IPFire Web Interface Home

When you have everything set, click Add to create the rule.

IPFire Web Interface Home

If it looks good, press the Apply Changes button.

IPFire add ssh access

Finally we test connecting via SSH.

IPFire SSH 222 working

When you are done working with the IPFire server externally via SSH, you can turn it off and/or remove the rule.

Take a look around the IPFire interface. The Status menu provides detailed information about what is going with your network. Here is an example with the Connections screen:

IPFire SSH 222 working

We can see that there are established connections on ports 444 for the web interface and 222 for SSH.

Views: 225

LEAVE A COMMENT

What is the capital of Egypt? ( Cairo )