IPFire is a free Linux distribution which acts as a router and firewall with advanced options. It can be maintained via a web interface. IPFire is based on Linux From Scratch and is a fork from IPCop. IPFire has an active community and is updated often.
IPFire also extends its functionality with plugins. Some of which we will be taking a look at. All of the operations we will cover will be utilizing the Graphical User Interface (GUI) and not any command lines.
IPFire can run on old hardware like a first-generation Intel Pentium, or a SOHO system with an up-to-date multi-core processor. So if you have an old computer lying around and want to experiment with or implement heavier security on your network we suggest giving IPFire a try to see if it fits your needs.
For ease of installation, your IPFire host computer should have at least two network cards (NIC) and a CD/DVD ROM.
In a standard IPFire installation it is Green + Red, which means 2 Networks. Typically you have one network for your home computers, your Green network, and then an Internet connection for the other network, your Red network.
A maximum of 4 networks is possible – namely Green, Blue, Orange and Red.
|Red||WAN||External network, Connected to the Internet (typically a connection to your ISP)|
|Green||LAN||Internal/Private network, connected locally|
|Orange||DMZ||The DeMilitarized Zone, an unprotected/Server network accessible from the internet|
|Blue||WLAN||Wireless Network, A separate network for wireless clients|
You will also want to check the IPFire hardware compatibility list to see if your NICs will work with IPFire (Usually any common INTEL network card will work).
Two NIC cards will be used: one to connect to your modem if you have a modem, if not then it would still be connected to your WAN (WAN IN). The other network card will connect to a switch or router (LAN OUT), depending on how you want to set up your network. For me personally I have used IPFire as a router. I then installed DDWRT firmware on my existing store bought Linksys router, making it then function as a wired and wireless switch for my home network connected to my IPFire router.
Once you have verified your hardware in compatible, Download the IPFire distribution image and burn it to a DVD or CDROM. If you dont know how to do that, you can install a free program called CDBurner XP or use Microsofts built in Disk Burner to burn the image file to disc making it bootable. Hook up a monitor, keyboard and mouse to the host machine you are installing IPFire to, then
A new installation of IPFire by default is set to allow all traffic to include port forwarding. The default settings are seen below in the Firewall Options:
Downloading IPFire add-ons
IPfire has a decent selection of add-ons. These add-ons can be downloaded and installed through the IPFire console by selecting PakFire in the menu. Detailed information about Pakfire can be found the IPFire Pakfire wiki page. Unfortunately it is a little cumbersome trying to select add-ons. You have to know which add-on you want prior to utilizing the Pakfire add-on installer. As you can see, the add-on packages are in some cases unidentifiable by their names alone. This seems to be the most updated list of IPFire add-ons and this page for IPFire “add-on” search results within the IPFire wiki. When you find your add-on you want, go back to Pakfire and install it from there.
IPFire Intrusion Detection System powered with SNORT rules.
IPFire’s Intrusion Detection System (IDS) uses Snort. It can monitor the Red, Green, Orange and Blue interfaces against attacks from inside and outside. While Snort, in conjunction with IDS rulesets, is used to detect attacks, Guardian must be activated to block the attacks.
By default, IPFire is able to download;
Emergingthreats.net Community Rules
Snort/VRT GPLv2 Community Rules
Sourcefire VRT rules for registered users
Sourcefire VRT rules with subscription
Unfortunately the IDS plugin as seen here is cumbersome to use. Just by selecting a rules set to add does not select all the child rules within its category:
As seen below, we selected malware-tools_rules, but if you do not expand the rule you will not see all the separate and specific rule sets which are available in this category. There is no “select all” option. So if want them all, start clicking… one by one. We would like to see the IDS system of selection get streamlined with a minimum of being able to “select all” in a given category. If you wanted all or most of the rules it is a painstaking task if there are many boxes to check. It would be much better to “select all” and then remove the few which you may not want.
Viewing SNORT IDS logs
After enabling SNORT rule sets you could get false positives and block legitimate traffic. If this starts to occur it is important to view the IDS logs and narrow down which rule is blocking legitimate traffic. Here is an example of our IDS log. As you can see this add-on is doing its job of detecting inbound traffic to 220.127.116.11 and showing us the specific intrusion detection rule set triggered:
At the moment this is only passive detection of intrusion attempts and bad traffic. Remember if you want the IDS add on to block the intrusions we need to install the Guardian add-on. We set Guardian to monitor both Red & Green networks. We want the IDS to monitor and block hostile inbound traffic from the WAN (Red) side, but we also wanted to detect possible infected devices coming from our LAN (Green) side therefore we opted to have Guardian monitor our LAN. If there were such an issue, you would be able to see this in the IDS logs.
Unfortunately updating the SNORT rulesets has to be done manually. I’m not sure why it was not included in the IDS add-on to have SNORT rules automatically update and install. It is important to have the most up to date rulesets to protect your network. I hope this is soon fixed in later updates. It has been mentioned in the IPFire forum: here, here, & here.
Geo IP block add-on
Next we take a look at the Geo IP block add-on, aka: County IP block. This is one of the newer additions to IPFire to make its way on to the Pakfire list of available add-on’s. Pretty straight forward and easy to use. Check the box of the country you wish to block and save:
Next is the OpenVPN add-on. We would use this to have IPFire route all our network traffic through an anonymous OpenVPN service.
URL filter add-on
The URL filter add-on is a good one to have. Aside from filtering categories of urls you can also upload custom url blocklists and hove those lists automatically update if pulled from any URL:
Last we look at the TOR plugin. The IPFire Tor add-on enables you to run Tor in two flavors: You can use it as a Tor client to enable systems on your local network to connect to the Tor network very easily by using the built-in SOCKS proxy. In this setup you can select which country you wish to use as an exit node. Meaning after routing traffic all over the world, the exit node for your network will reside in country X.
You may also run Tor as and internal member of the Tor network (relay), which supports the Tor network and makes it stronger and faster. To start a TOR relay you would need to check both Enable TOR & Enable TOR Relay, choose weather you want to run an Exit Node, Relay, Bridge or Private Bridge.
If you wish to safely contribute to the TOR network select Relay. I would be cautioned about running an exit node. Essentially anybody on the TOR network could be using your IP address for any purpose good or bad. As an exit node you allow your IP to be the address which conducts the final act for a TOR user in the chain of relays. Therefore your IP would be the target of suspicion if that act was considered illegal. An investigation could likely start with questioning you. In the worst situation, you could get a visit from state actors. In the least worst situation as an exit node, your IP could get blacklisted.
As an exit node, it would be important to use a real email address in the contact info in this add-on. This lets everyone know you are a visible TOR exit node and you could be contacted if needed. If you want to contribute to the TOR network and not have to deal with the risks, a relay is the safest option. Further reading on this plugin, see the IPFire Tor add-on pages, and IPFire’s TOR specific plugin page.
Blocking Hosts with IPFire
To begin blocking hosts with IPFire, go to Network–>Edit Hosts. Here you can easily start entering hosts to block. Perhaps you are familiar with Windows 10
spying and all its “Telemetry” data it sends back. Instead of trying to stop this data being sent on every single computer, you can easily stop your entire network of multiple Windows 10 PC’s from sending telemetry data right at the IPFire gateway. You can download our list of Windows 10 hosts to block here.
Inputting the hosts file data to be blocked in IPFire is simple. The following image shows you the proper steps to add the hosts: