How to set up a proper firewall with IPFire for home or work

0
2461
Set up a proper firewall with IPFire for Home or Work
IPFire Logo

Problem / Outcome Summary

  • This article will show you how to set up a proper firewall with IPFire to protect your home or work network from security threats.
  • Please see the ‘Summary Overview’ tab below for a high level view of the objectives this ‘howto’ will achieve.

Why might I want to do this?

    • To stop people hacking into your network and files from the internet
    • To stop people hacking into your network and files from your Wifi access point
    • Because you have a typical home internet router which does not have a real firewall (most don’t)
    • Because you want an intrusion detection system (IDS) which isn’t available on home Internet routers
    • Because your router is too slow top cope with your internet speed (now becoming common with vDSL and Fibre connections)
    • To speed up your page response with a faster local DNS server (Routers can be slow)
    • To get proper firewall logging so you can ‘see’ what you are protecting yourself from and diagnose issues
    • To protect yourself from both the internal network as well as the external network (internet) (most routers don’t allow this)
    • Because you’ve read about the Edward Snowden leaks and are wondering what else you can do to be more secure

Foreword

To be clear, what does a firewall do?

Simply put, a firewall is a means of protecting your internal network (home, work, school etc) from the threats of the external (and sometimes internal network), the most common external network these day’s being the internet.  There are many many people in the world that try to break in to things, just to see if they can, many of them are not malicious, but many of them are.  If they’re malicious the most likely outcome is your having to spend money (maybe not even straight away) to fix something up – like your PC going slow, or a large internet bill due to a Trojan sending out a lot of traffic from your network somewhere.

You may be interested why I said above that firewall’s can also protect you from your internal network.  This usually fits into one of two scenarios, you have a large company or institution where internal people may bring viruses in, or even try to hack things themselves (think of a computer science department at a university, or a local college), or you have WiFi at home which always has the possibility of others gaining access remotely.  This is a truly scary scenario, you only have to look at the many news articles on the subject such as here to understand what I’m talking about, sadly this happens more often than people realise.

What does an intrusion detection system (IDS) do?

Simply put, an intrusion detection system is able to look at the traffic on your internal or external network interfaces, analyse it and draw security conclusions from the activity.  These conclusions are based around known attacks from a subscribed (free or non-free) dictionary.

Intrusion Detection Log
Intrusion Detection Log

Take a look at a snapshot from my IDS log on the right (click to make bigger).  That’s a very small excerpt from a daily log of IDS activity, which in this example had only been running for less than a week.

Also note that an IDS is not the same as an IPS, an IPS is an intrusion ‘protection’ system, both of these I’ll go into in a later article.

Pre-Requisites

Software Dependencies

Hardware Dependencies

  • Compatible hardware such as a PC or compatible ARM device
  • Preferably two or more physical network ports

Tools Required

  • SSH Access
  • A recent Web Browser such as Firefox, Chrome or Safari

Other Dependencies

  • An external and internal network

High Level Summary Steps

The below lists the high level summary of steps we’re about to take during this howto.

      • Install the IPFire software on a PC
      • Configure the Network Settings
      • Configure the Firewall’s Internet Connection from a Web Browser

Implementation

Choose the installation method

You can install IPFire to run either directly off the hard disk of your computer, or run it directly off a USB stick.  Both examples are shown below, but I have used the full hard disk option.

Steps to create a firewall that runs from a USB stick

  1. Go to http://www.ipfire.org/download
  2. Click on ‘Other Download Options’
  3. Click the ‘Flash image’ word under, i586 – you will get a file similar to ipfire-2.17.1gb-ext4.i586-full-core93.img.gz
  4. Be sure to extract the gzip file so that it becomes ipfire-2.17.1gb-ext4.i586-full-core93.img – (On a Mac or Linux this is built in and you’ll only have to double click it, on windows you will need to download an appropriate decompression tool such as 7-zip.  Once extracted to the img file, you’ll need to create a bootable USB stick or SD card out of it.

For Mac please see our guide on How to create a bootable USB stick on MAC here.  If you’re on Windows try something like Rufus here.

  1. Plug in your USB stick or CDROM and turn on your computer.
  2. Ensure that your computer is configured to boot from your installation media in it’s BIOS
  3. Choose, US Keyboard, Pacific Timezone, ipfire hostname, localdomain for domain name or adjust as you feel appropriate
  4. You will be prompted for both a root password and an admin password.  The Root password is for console access (text and ssh) and the admin password is for the GUI accessed through a web browser.  It’s OK for them to be the same if you like.  Enter both these passwords and repeat in each case.
  5. Then skip the steps directly below and go to the ‘Configure the network settings’ section

Steps to create a firewall the runs from the PC hard drive

  1. Go to http://www.ipfire.org/download
  2. Click on the ‘Download IPFire 2.17 – Core Update 93’ or similar button – You will get a file that ends in iso, which you can either write to DVD, or create a bootable USB stick using the above instructions for Windows / Mac.
  3. Plug in your USB stick or CDROM and turn on your computer.
  4. Ensure that your computer is configured to boot from your installation media in it’s BIOS
  5. Choose, ‘Install IPFire 2.17 Core 92 or similar
  6. Enter
  7. Select Language (English)
  8. Click Start Installation
  9. Tab to accept licence and Press Space Bar to accept the licence
  10. Tab then Click enter on OK
  11. Choose to Delete all data on existing drive – Obviously you must know you want to do this)
  12. Choose ext4 filesystem
  13. You will see a partitioning system, then an install system message, plus a few other messages.
  14. You will then be presented with reboot option, click Enter on this.

Configure the network settings

You are going to be asked for a network configuration type using colours.  The colour options are defined as follows:

      1. Green & Red
      2. Green & Red & Orange
      3. Green & Red & Blue
      4. Green & Red & Orange & Blue

These colours are represented as follows:

      • Red / WAN – External network, typically connected to the internet via your ISP
      • Green / LAN – Internal / Private network, connected locally (such as in your home)
      • Orange / DMZ – The demilitarised zone, a server accessible directly from the Red / WAN interface but through the firewall
      • Blue / WLAN – Wireless network

So in this case, we will configure a Green & Red firewall.

Four network options are available

        • Nework and configuration type
        • Drivers and card assignments
        • Address settings
        • DNS and Gateway settings
  1. Choose Green + Red for a Standard two network card setup
  2. Click OK
  3. Go into Network and configuration type
  4. If you are asked if you want to change the settings, click OK
  5. Assign an interface to Green and Red and remember what this is, you will need to know the brands of which network cards you have, which is likely as you probably had to add one manually to get it into the system anyway.
  6. Click on the first interface (Green), which is your internal network and assign a network card to it.
  7. Click on the second interface (Red), which is your external (internet facing network card) and assign a network card to it.
  8. Click Done when complete
  9. Click on address settings
  10. Choose Green for your internal network and enter in a local IP address for the internal network. Traditionally this should be a very low number (i.e. 192.168.43.1 or 192.168.43.2, or a very high number (192.168.43.254). Generally firewalls are not assigned to be in the middle, this makes it easier to remember.
  11. In the Red Interface, Choose the appropriate option for your setup, in most cases this will be PPPoE for home based connections such as DSL or Fibre, if you have a business connection, it’s possible to be DHCP or Static, but unlikely unless you’re an enterprise or corporate customer, in which case you’re not likely to be using this particular firewall anyway.
  12. Click OK
  13. Click Done.
  14. Click DNS and Gateway Settings
  15. If you’re using PPPoE, these should be left blank and will be self assigned from your Internet Service Provider (ISP).
  16. Click OK when done.
  17. Click Done

Next, you can set up a DHCP server, this is a good idea if you’re essentially using this firewall as the main router for your network, (e.g. a home network) you can however choose to run your DHCP elsewhere by simply not checking the ‘enabled’ check box.

  1. Start Address: 192.168.43.100
  2. End address: 192.168.43.200
  3. Primary DNS (auto populated with the Firewall’s address)
  4. Secondary DNS (OK to leave blank)
  5. Default Lease (mins):4320 (Three days)
  6. Max Lease (Mins):4320
  7. Domain name suffice (localdomain) this will be passed to all the clients receiving an IP address for this server.
  8. Click OK
  9. Setup is complete

The system will now restart

Configure the Firewall’s Internet Connection from a Web Browser

Assuming the previous steps were done correctly, you should now be able to connect to your firewall via a computer connected to the same network.  Do note however, that your computer needs to have an appropriate IP address.  The easiest way is to ensure DHCP is switched on in your network settings and to reboot your computer AFTER you have given your new firewall time to start up.

  • Log into your new server using the IP address you created above for the Green interface.
    In a web browser type: https://ipfire.localdomain:444 or https://192.168.1.2:444 depending on what you set up.  The ‘:444’ denotes the port number IPFire allows you to connect through.
  • Please ensure you use https not http as using http will not work.  You will most likely be prompted that there is an invalid security certificate.  This is OK.
  • Enter in your username (admin) and the password you entered earlier (remember there were two passwords, this is the second one).
  • This is where you configure the system and can look at various system reports etc.

Configure your internet connection

  • On the page that comes up, (the one that says ‘Main Page’ at the top left), click on the word INTERNET that is underlined.
  • Go to interface, ensure PPPoE is selected (assuming that’s what you use).
  • In the Idle timeout, set this to 0 to ensure your connection is permanent (again assuming this is what you want).
  • In the reconnection section, ensure persistent is checked and dial on demand for DNS is checked.
  • Change the Maximum retries to a big number so that your system will recover from a big ISP outage (i.e. 1000).
  • Leave service name and concentrator name blank
  • Leave MTU / MRU blank
  • Enter in your Authentication information
  • Ensure DNS is on Automatic
  • Ensure you fill in the Profile Name (probably with the name of your ISP)
  • Click Save.

If done correctly, you should soon have some IP addresses show up on the Main Page under the INTERNET section. Eventually you would see a Status of ‘Connected – (11m 22s) – Profile Name

At this point, you already have a fully functioning firewall, courtesy of the IPFire team.  This is because the IPFire team include some sensible defaults out of the box.  It’s up to you what you want to do from here with the firewall.  In the coming articles, we’ll show you how to set up an intrusion detection system (IDS), intrusion prevention system (IPS) and some sane firewall rules.

Final Word

Compared to the firewalls of old, this installation is remarkably simple.  Of course, we’ve barely scratched the surface of what we can do to secure a network.

One problem I had was certain sites (ironically the ipfire forums is a fairly consistent problem) would not load, or even resolve the DNS name.  No amount of messing around would fix this until I realised it was DNSSEC.  I had to do was disable the DNSSEC feature in the firewall.  There is quite a mess with large packet streams and fallback to TCP port 53 that still isn’t working as it should.

To do this, you need to SSH into the box, go to the /etc/init.d/dnsmasq file and change the top line that says ENABLE_DNSSEC=1 to ENABLE_DNSSEC=0

Then simply enter # /etc/init.d/dnsmasq restart and you’re good to go.

Congratulations, you now have a better firewall than 99% of the globe.

As always, I welcome your insights and opinions in the comments section below.

**Hosting a web site? Why not apply and follow our article on how to speed it up with a CDN here!

Marshalleq