Unless a custom NTP server has been configured in IPFire - usually required for enterprise environments -, this requires connections to members of the public internet pool of NTP servers to port 123 (UDP). Validating DNSSEC, establishing TLS sessions and using similar cryptography systems requires clock synchronisation, which is the goal of the Network Time Protocol (NTP). With DNS over TLS, the destination port becomes 853 (TCP only). (We will come to firewall groups in a moment.) Apart from UDP, TCP is needed as well for support receiving larger responses that do not fit into a single UDP packet. Unless DNS over TLS is enabled, this includes connections to port 53 to the group of DNS resolvers configured. Some networks services must be reachable for any IPFire machine, which is why the following outgoing firewall rules are needed as a second step: Allow essential connections for IPFire itself Afterwards, a reboot is required to apply these settings.Īfter rebooting, nothing will work. In order to do so, change "forward firewall" and "outgoing firewall" policies to "blocked" on the firewall options CGI. To make things as secure as possible, however, it is necessary to drop any connection by default. While this is certainly not optimal in terms of security, it is necessary for some use cases such as fixed changeover dates, and makes using IPFire less troublesome for beginners and drop-in replacement scenarios, as its firewall engine behaves like an ordinary ISP router. Change the default behaviour to drop all packetsīy default, IPFire permits all outgoing connections initiated by internal networks or the system itself. ![]() Make sure you can access the wiki at any time in order to know what to do if something was misconfigured by accident. After taking a closer look on how to achieve better DNS settings in terms of privacy, this post elaborates necessary steps for a secure configuration of IPFire's firewall engine.ĭepending on how volatile and predictable your network is, the following steps might cause interruptions or break some clients altogether - if they are using hard-coded DNS resolvers, for example -, so it might be a good idea to apply them within a maintenance window.
0 Comments
Leave a Reply. |