Introduction
IPFire is an Open Source Linux-based firewall distribution that can be configured to provide additional security for your data center. It contains VirtIO kernel modules and offers excellent performance on the KVM hypervisor.
Requirements
The system requirements for IPFire are quite modest. It is recommended that IPFire be configured with at least:
- 1 Processor Core
- 1GB RAM
- 4GB HDD/Disk Storage
- 2 Network Interfaces
If you wish to retain a significant amount of activity logs or anticipate installing a number of add-on packages (via pakfire
) please allocate additional disk storage space.
It is recommended that a static/reserved IP address be assigned to the WAN/Public interface.
Some additional information on the process of reserving an IP address can be found in our articles Adding Secondary Virtual IP Addresses and Static IP Assignment
Preparation
IPFire is available for download at http://downloads.ipfire.org.
As of this writing, the current version available is “IPFire 2.17 – Core Update 93” which can be found at:
http://downloads.ipfire.org/release/ipfire-2.17-core93
Download the Installable CD image
Once we have it downloaded, we will need to upload it via FTP to the appropriate ProfitBricks data center so that it will appear in the Image Manager inside the DCD. It will then be available under “Own Images” for use when provisioning a server.
Create a data center if you don’t already have one setup.
Now that we have the image available, go ahead and add a Composite Instance in your data center. For this tutorial, we will assign one processor core, 2GB of RAM, and create a 5GB hard disk volume. You can scale those resources as you see fit.
Create a new CD-ROM and select “ipfire-2.17.i586.full-core93.iso” from “Own Images”:
Make sure and check the “Boot from Device” option:
This is what your “Storage” tab will look like:
Now we will add the two network interfaces. Add a name of “WAN” for “NIC 0” and choose the IP address we reserved earlier from the “Primary IP” drop-down menu. Use “Add NIC” to create “NIC 1” and name it “LAN”. It should end up looking like this screenshot:
Go ahead and provision the changes.
IPFire Installation
Once it has been provisioned and the server is booted, we will proceed with the install using the remote console inside the DCD.
Choose your language, accept the license agreement.
Proceed through the install.
Choose the “ext4 Filesystem” unless you have a good reason to prefer one of the other options.
The install will continue and finish quickly.
Basic Configuration
When complete, it will reboot and using the remote console via the DCD we will need to complete the basic setup.
Confirm your language choice.
You will be prompted on similar looking screens for ‘Timezone’, “Hostname” and “Domainname”.
On the next screen, you’ll set a root
password which will be used when accessing the IPFire server via SSH.
Right after setting the root
password, a similar looking screen will prompt you to set an admin
password which will be used to access the IPFire web interface. It is recommended to set unique passwords for root
and admin
rather than using the same one for both users.
The characters you type will not echo to the console screen, so be careful as you are typing to ensure that the passwords match.
Accept the default “GREEN + RED” setting for “Network configuration type”:
We can refer back to the DCD to get the MAC information needed to complete the “Assigned Cards” section.
We want to match up the MAC to the appropriate interface. The RED interface is our WAN or Public interface using the reserved IP address.
The GREEN interface is our LAN or Private interface which will be assigned a non-publicly routable IP address range by default.
We will set our DNS resolver address to be the one available at the ProfitBricks facility where we provisioned our data center. In this tutorial we used the Las Vegas Developer Cluster, so the Primary DNS Address is 69.194.131.41
. For the Secondary DNS Addresswe will just use one of Google’s public DNS servers. The Default gateway should be set to your reserved IP address, only ending in .1
, so for the tutorial we will set it to 162.254.27.1
as shown below.
DHCP Server Configuration — Do not enable this unless you need it for some specific reason. Having your firewall hand out IP addresses via DHCP is not a typical configuration for use in a data center. It would be appropriate to enable when using IPFire to protect a home or office network.
Setup is now complete.
Note It is possible to return to this setup interface later on by running
setup
after logging in as root.
Use the DCD to remove the CD-ROM and set the server to boot from the HDD.
At this point we can access the web interface one of two ways:
1) Configure a VM that has a browser available and attach it to the LAN. Use the remote console to open a browser inside that VM and access the IPFire web interface on the private address.
2) Make a change to the IPFire firewall configuration so that we can access the web interface on the Public/WAN/RED interface. Leaving this permanently open is not the ideal solution security wise, but will allow us to make additional configuration changes such as setting up a VPN. Once the VPN is active, then we can disable external access to the web interface and utilize the VPN to access the web interface running internally.
The changes necessary for method two are: Use the DCD’s remote console to log into IPFire as the root
user using the password created during the install.
Locate the section of /etc/init.d/firewall
starting at line 198 that handles default access to the web interface on the GREEN/LAN interface. It should look like this if you have line numbers enabled in vi
:
197 # localhost and ethernet.
198 # Always allow accessing the web GUI from GREEN.
199 iptables -N GUIINPUT
200 iptables -A INPUT -j GUIINPUT
201 iptables -A GUIINPUT -i "${GREEN_DEV}" -p tcp --dport 444 -j ACCEPT
We are going to add a line to allow access on the RED/WAN interface.
# Allow accessing the web GUI from RED
iptables -A GUIINPUT -i "${RED_DEV}" -p tcp --dport 444 -j ACCEPT
If your local workstation has a static IP address, you could scope access to just your specific IP by adding -s "Client IP Address"
. The lines to add would be:
# Allow accessing the web GUI from RED for a specific IP
iptables -A GUIINPUT -i "${RED_DEV}" -s "YourIPAddress" -p tcp --dport 444 -j ACCEPT
This screenshot shows the new lines in the file:
now run /etc/init.d/firewall restart
to apply the rule change.
Web Interface
We should now be able to access the IPFire web GUI using the public IP address assigned to RED. There will be a SSL certificate warning due to the self-signed SSL certificate. You will need to add an exception or otherwise bypass that warning. The steps for doing so will vary according to your browser.
Testing
As a quick example, we will enable SSH access to the IPFire server and add a rule to permit the connection. For enhanced security, the SSH daemon is not running on IPFire by default. This is good and should remain configured that way for your production setup. However, you may find having external SSH access is helpful during the configuration, testing, and setup process.
First we need to enable SSH via the Web Interface. IPFire has SSH configured to listen on port “222” rather than the standard SSH port “22” by default. On the System menu, select SSH Access.
Check the SSH Access option, and then Save
Now we need to add a rule to allow the connections. From the Firewall menu, choose Firewall Rules and use the New rule button to create a new rule. In this example, we are specifying that we want to allow connections from a single source IP which is populated with our admin workstation’s public IP address. The destination is set as the RED firewall interface. The protocol is set to TCP, and the destination port is: 222. We have also added a “Remark:” so that we will remember what this rule is for.
When you have everything set, click Add to create the rule.
If it looks good, press the Apply Changes button.
Finally we test connecting via SSH.
When you are done working with the IPFire server externally via SSH, you can turn it off and/or remove the rule.
Take a look around the IPFire interface. The Status menu provides detailed information about what is going with your network. Here is an example with the Connections screen:
We can see that there are established connections on ports 444 for the web interface and 222 for SSH.
Views: 225