Secure Your Network Using IPFire Firewall Distribution

by
Share this Article: Facebook51Google+24Twitter13LinkedIn5Reddit0Pinterest0StumbleUpon1Digg
One of the core component of network of all organizations is security. Many large companies will have hardware firewalls to protect their network. Those hardware firewalls cost must be hundreds of thousands of dollars. The SOHO(Small office or Home Office) users can’t afford that much of cost. It is worth trying the Linux distribution called IPFire available for cost cutting users one who needs to secure their network with no cost. It is not only designed for SOHO users, it will support large network if you have the right hardware.

IPFire is an open-source Linux distribution with many cool features such as web based GUI, web proxy, intrusion detection, VPN, virus scanner, fully customizable and many. Visit the official website for more details. It has many add-ons which can be installed with a single click and makes the system administrators life much easier or you don’t need him either. Sounds good? Well let us implement a firewall for our organization with IPFire.

Disclaimer: I can’t issue any assurance that this will work for you. There are many open-source firewall distributions available. I didn’t say that this is the only way to setup firewall system. There are plenty of tools available. This is the way that I have taken to implement the firewall system. We are making articles for all open-source firewall distributions. We will post the same periodically.

Installalling IPFire

Before proceeding further, let us make sure that we have the following things in hands first.

1. IPFire needs a at-least a Pentium based i586 336 ghz or better CPU

2. It needs 256MB RAM, 512MB is recommended

3. It needs only 100MB disk space, but 2GB hdd would be better

4. Finally an important thing you need at least two network adapters. One for ISP (Inbound) and another one for your LAN (Outbound)

Download the latest version of IPFire. Burn the CD with the ISO and boot the system. The following screen should appear. Press ENTER to continue.

IPFire [Running] - Oracle VM VirtualBox_001

Select the Language and Press OK.

IPFire [Running] - Oracle VM VirtualBox_002

Accept the License Agreement and Press OK.

IPFire [Running] - Oracle VM VirtualBox_003

Select Yes to format the hard drive.

IPFire [Running] - Oracle VM VirtualBox_004

Choose your filesystem type and Press OK.

IPFire [Running] - Oracle VM VirtualBox_005

Now the installer will begin to install the base system.

IPFire [Running] - Oracle VM VirtualBox_006

Reboot the system after completing the installation.

IPFire [Running] - Oracle VM VirtualBox_007

Select the keyboard layout. Here I prefer US keyboard layout.

IPFire [Running] - Oracle VM VirtualBox_008

Select your time zone.

IPFire [Running] - Oracle VM VirtualBox_009

Enter the host name for the firewall. In my case its “firewall”.

IPFire [Running] - Oracle VM VirtualBox_010

Enter the domain name.

IPFire [Running] - Oracle VM VirtualBox_011

Enter the root user password for command-line access. Passwords will not be visible (even the ***** characters).

IPFire [Running] - Oracle VM VirtualBox_012

Enter the “admin” user password for web based administration.

IPFire [Running] - Oracle VM VirtualBox_013

Here we’ve come the important section. You have to carefully select the Network configuration. Here let me explain you about the network zones of IPFire.

In a standard IPFire installation it is Green + Red, which means 2 networks. Typically your Green network is for your LAN and your Red network is for WAN(Internet).

A maximum of 4 networks is possible – namely Green, Blue, Orange and Red.

Red- WAN- External network, connected to the Internet
Green- LAN- Internal/Private network, connected locally
Orange- DMZ- Unprotected/Server network, de-militarized Zone
Blue- WLAN- Wireless Network, separate network for wireless clients

Configure accordingly depends on your network. In my case I am using only two network cards Green and Red. Green Network is connected to my home network and Red network is connected with WAN.

So here I select GREEN+RED network type.

IPFire [Running] - Oracle VM VirtualBox_015

Select the network card for Green zone.

IPFire [Running] - Oracle VM VirtualBox_016

IPFire [Running] - Oracle VM VirtualBox_017

Select the interface for Red zone.

IPFire [Running] - Oracle VM VirtualBox_018

IPFire [Running] - Oracle VM VirtualBox_019

After selecting the interfaces for both zones click Done to save the changes.

IPFire [Running] - Oracle VM VirtualBox_020

Now you will again return back to your Network Configuration Wizard. Now click on Address settings to set the IP Address for the network interfaces.

IPFire [Running] - Oracle VM VirtualBox_021

Select Green interface and click OK.

IPFire [Running] - Oracle VM VirtualBox_022

Enter the IP Address for Green interface.

IPFire [Running] - Oracle VM VirtualBox_025

Now set IP Address to RED interface. Set your WAN IP address.

IPFire [Running] - Oracle VM VirtualBox_024

After setting up IP addresses click done to return back your network configuration wizard. Click on DNS and Gateway settings tab and set your DNS and Gateway to connect internet.

IPFire [Running] - Oracle VM VirtualBox_026

IPFire [Running] - Oracle VM VirtualBox_027

After completing all the above steps click Done to finish the network configuration.

If you want to set this system as DHCP server for your LAN, check on Enabled button and enter the IP range to serve to your LAN systems. Here Iam not using this server as DHCP. So I leave it as unchecked.

IPFire [Running] - Oracle VM VirtualBox_028

Finally click OK to complete the setup wizard.

IPFire [Running] - Oracle VM VirtualBox_029

The system will automatically restart now. That’s it. Now the installation part is over.

Configure IPFire

You can access the IPFire administration console by navigating to https://ip-address-of-server:444/ from your client system browser. Enter username as admin and password which you created during the installation process.

Untrusted Connection - Mozilla Firefox_031

This is how your home page of your firewall server looks.

IPFire - Main page - Mozilla Firefox_032

Form here you can configure many services like Intrusion detection, VPN, Web proxy, firewall and so on. Let me show you one by one.

Status

This section will show the CPU and load graph of your firewall. You can find the CPU and load usages of your firewall. Also you can view the reports in daily, weekly, monthly and yearly basis.

IPFire - Status information - Mozilla Firefox_033

Network

Here comes the interesting section. There is no more hectic command line work. All you have to do is just click on the relevant check box to make that particular service active. In this section we can configure a lot of options:

Web proxy

You can make this server to act as a proxy server for our LAN. You can set both transparent and non-transparent proxy i.e you don’t have to mention the proxy server port in your client browser network settings. And you can change the proxy port if need.

IPFire - Advanced web proxy configuration - Mozilla Firefox_035

You can allow the ports which one is need. The remaining ports will be inactive. This option let the users to allow the required ports through iptables. You can set which network series should be allowed and which shouldn’t be allowed in the proxy server.

And also you can restrict the users from using Internet particularly on IP based and name based and mac address based authentication. This feature is especially useful for one who don’t want to provide their internet to third-party users. You can allow the time scheduled internet usage to users.

IPFire - Advanced web proxy configuration - Mozilla Firefox_036

We can set which day or which time that the internet should be accessed by users. We can limit the download or upload size of data’s too. This will restrict the users from downloading such a large file by consuming all bandwidth. One more notable feature is that we can authenticate users from our LDAP, Windows AD and from Radius serves.

If you did all the settings you need, click on Save and Reload or Save and Restart buttons.

Content Filter

This section is also more interesting. Navigate to the sub-menu in the right-side and click on Content filter. In this section we can block ads, porn websites, social networking sites, hacking, drugs, audio-video websites and so on.

IPFire - URL filter configuration - Mozilla Firefox_037

If you want to block particular domains or websites, just add them one by one in the custom black list section. The domains or websites added in this list will be blocked automatically. Or you can add all the websites that you want to restrict in a separate file and import it to IPFire firewall.

IPFire - URL filter configuration - Mozilla Firefox_038

There are other sections such Update accelerator, DHCP server, Connection scheduler etc. Go through to those sections and make the changes as per your requirement.

Services

In this section, you can configure services such as VPN, Intrusion Detection, Dynamic DNS and so on.

IPFire - VPN configuration - Main - Mozilla Firefox_039

You can find the services listed on right-side sub-menu.

Firewall

In this section you can add the firewall rules whatever you want to implement. Navigate to the right side sub menu to add more rules.

IPFire - Port forwarding configuration - Mozilla Firefox_041

Pakfire

IPFire has a package manager called pakfire which can be used to add many add-ons. You can add any available plugins in this section and you can set the update options as well.

IPFire - Pakfire Configuration - Mozilla Firefox_042

Logs

Well, we reached the last section. In this section we can see all logs such as proxy logs, firewall logs, IDS logs and URL filter logs. Using these logs we can track users and keep an eye on them what they are doing on internet.

IPFire - Log Summary - Mozilla Firefox_043

Conclusion

This is not the fully completed tutorial, it is far from complete. I personally tested this distribution and installed it to some of clients. They are happy and satisfied with this easy-to-manage firewall. The IPFire team is also providing commercial support too. For me it is the most well polished and hardened firewall distribution which I have ever used. If you have any suggestions or know some other solutions, drop it in the comment section.

For questions please refer to our Q/A forum at : http://ask.unixmen.com/

Share this Article: Facebook51Google+24Twitter13LinkedIn5Reddit0Pinterest0StumbleUpon1Digg