IPFire An Open Source Firewall Dist ribut ion IPFire was designed wit h bot h modularit y and a high-level of f lexibilit y in mind. You can easily deploy many variat ions of it , such as a f irewall, a proxy server or a VPN gat eway. The modular design ensures t hat it runs exact ly what you' ve conf igured it f or and not hing more. Everyt hing is simple t o manage and updat e t hrough t he package manager, making maint enance a breeze. The IPFire development t eam underst ands t hat securit y means dif f erent t hings t o dif f erent people and cert ainly can change over t ime. The f act t hat IPFire is modular and f lexible make it perf ect f or int egrat ing int o any exist ing securit y archit ect ure. Don' t f orget t hat ease-of -use is a key principle. If all t his sounds a lit t le t oo much f or you, IPFire comes wit h great def ault set t ings out -of -t he-box, meaning it ' s a snap t o get going quickly! Above are some links t hat we encourage you t o click t hrough. Please t ake a look at all of t he f eat ures and possibilit ies which IPFire of f ers f or your net work. Securit y The primary object ive of IPFire is securit y. As t here is of course no one, single way t o achieve net work securit y, it is import ant f or a net work administ rat or t o underst and t heir environment and what t he t ermsecurit y means in t he cont ext of t heir own net work. IPFire f orms t he base of a secure net work. It has t he power t o segment net works based on t heir respect ive securit y levels and makes it easy t o creat e cust om policies t hat manage each segment (see t he Firewall page f or more inf ormat ion). Securit y of t he modular component s is a t op priorit y. Updat es are digit ally signed and encrypt ed, as well as can be aut omat ically inst alled by Pakf ire (t he IPFire package management syst em). Since IPFire is t ypically direct ly connect ed t o t he Int ernet , it is going t o be a primary t arget f or hackers and ot her t hreat s. The simple Pakf ire package manager helps administ rat ors f eel conf ident t hat t hey are running t he lat est securit y updat es and bug f ixes f or all of t he component s t hey ut ilize. IPFire 2.15 - Core Updat e 77 Since IPFire 2.15 (ht t p:/ / planet .ipf ire.org/ post / f eat ure- highlight s-ipf ire-2-15-1-hardening-t he-syst em), t he IPFire Linux kernel is pat ched wit h t he grsecurit y (ht t p:/ / grsecurit y.net ) pat chset , which pro-act ively hardens t he kernel against various f orms of at t acks. Most import ant ly, it prot ect s f rom zero-day exploit s by eliminat ing ent ire bug classes and exploit vect ors. It makes st ack buf f er overf lows almost impossible t o exploit and comes wit h st rict access cont rols, t hat make it harder f or at t ackers t o cause harm t o t he syst em. About IPFire Firewall IPFire employs a St at ef ul Packet Inspect ion (SPI) f irewall, which is built on t op of net f ilt er (t he Linux packet f ilt ering f ramework). During t he inst allat ion of IPFire, t he net work is conf igured int o dif f erent , separat e segment s. This segment ed securit y scheme means t hat t here is a perf ect place f or each machine in t he net work. These dif f erent segment s may be enabled separat ely, depending on your requirement s. Each segment represent s a group of comput ers who share a common securit y level: Green Green represent s a "saf e" area. This is where all regular client s will reside. It is usually comprised of a wired, local net work. Client s on Green can access all ot her net work segment s wit hout rest rict ion. Red Red indicat es "danger" or t he connect ion t o t he Int ernet . Not hing f rom Red is permit t ed t o pass t hrough t he f irewall unless specif ically conf igured by t he administ rat or. Blue Blue represent s t he "wireless" part of t he local net work (chosen because it ' s t he color of t he sky). Since t he wireless net work has t he pot ent ial f or abuse, it is uniquely ident if ied and specif ic rules govern client s on it . Client s on t his net work segment must be explicit ly allowed bef ore t hey may access t he net work. Orange Orange is ref erred t o as t he "demilit arized zone" (DMZ). Any servers which are publicly accessible are separat ed f rom t he rest of t he net work here t o limit securit y breaches. IPFire 2.15 - Core Updat e 77 Wit h IPFire 2.15, t he graphical user int erf ace has been complet ely rewrit t en and massively ext ended wit h new f unct ionalit y. It is now possible t o manage groups of host s or services. That makes it simpler t o creat e many similar rules f or a great number of host s, net works or services. Managing f irewall rules has never been easier bef ore. Because even wit h a big number of rules, t he conf igurat ion remains easily manageable and t hat makes it possible t o build more rest rict ive conf igurat ions wit hout losing cont rol. Securit y Firewall Pakf ire Updat es Dialup Web Proxy Crypt ography VPN Int rusion Det ect ion Qualit y of Service Hardware Virt ualizat ion Wireless Access Point Addit ionally, t he f irewall can be used t o cont rol out bound Int ernet access f rom any segment . This f eat ure gives t he net work administ rat or complet e cont rol over how t heir net work is conf igured and secured. Firewall Document at ion (ht t p:/ / wiki.ipf ire.org/ en/ conf igurat ion/ f irewall/ st art ) (ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ rules.png?v=e8c6d) (ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ new-rule.png?v=8db69) (ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ service-groups.png?v=4534e) (ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ host -groups.png?v=005e6) Pakf ire The IPFire package management syst em From a t echnical point of view, IPFire is a minimalist ic, hardened f irewall syst em which comes wit h an int egrat ed package manager called Pakf ire. The primary t ask of Pakf ire is t o updat e t he syst em wit h only a single click. It is very easy t o inst all securit y pat ches, bugf ixes and f eat ure enhancement s (/ f eat ures/ updat es), which make IPFire saf er and f ast er - or simply: bet t er. (ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ f irewall/ connect ions-1.png?v=6707c) Anot her t ask of Pakf ire is t o inst all addit ional sof t ware t hat adds new f unct ionalit y t o t he IPFire syst em. Some usef ul of t hem are: File sharing services such as Samba and vsf t pd Communicat ions server using Ast erisk Various command-line t ools as t cpdump, nmap, t racerout e and many more. (ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ pakf ire/ pakf ire-overview-1.png? v=bed95) Pakf ire as a buil d syst em The next major release of IPFire will also ship a new generat ion of t he Pakf ire packagement syst em. This new generat ion has been made f ast er, more secure, more easy t o handle and adds a whole bunch of new f eat ures. One of t his f eat ures is t hat pakf ire is now t he buildsyst em as well. Having a cust omized build syst em f or t he needs of IPFire and t he IPFire developers improved t he development process very much. Building new packages became a lot more easy and less t ime-consuming. Qualit y assurance became more social right now. Check it out at pakf ire.ipf ire.org (ht t p:/ / pakf ire.ipf ire.org/ ). Updat es IPFire is based on Linux, which is t he best Open Source kernel around. Addit ionally, IPFire is not based on any ot her dist ribut ion like Knoppix is on Debian. It is compiled f rom t he sources of every single package. This comsumes a lot of work, but f inally gives t he opport unit y t o not rely on t he updat e cycles of ot hers. The advant ages we gain is t hat we are able t o select very st able versions of sof t ware and build t he dist ribut ion f rom t hem. For example is t he most (ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ pakf ire/ addon-services-1.png? v=14eb2) part of t he dist ribut ion quit e well t est ed and long maint ained - in cont rast t o t he kernel which is very recent and regularly updat ed wit h pat ches t o support as much hardware as possible and more import ant ly f ix securit y errors. This is what makes IPFire a very st rong and hardened syst em. To keep up t hat st rengt h and be prepared f or new hardware (/ f eat ures/ hardware), we give out t he so called Core Updat es which are issued in about every f our weeks and updat ing collect ed f ixes. If t here is a securit y emergency, we provide updat es in less t han a day t o overcome zero-day holes in t he syst em. All of t he updat es can be inst alled by t he package management syst em (/ f eat ures/ pakf ire) and users are not if ied by mail. So in all cases, t he updat e is just a simple click and your syst em is running saf e again. Dialup IPFire as an Int ernet Gat eway is able t o dialup t hrough various t echniques t o connect t o t he Int ernet . It support s all popular t ypes of broadband access, as well as mobile access: VDSL VDSL is short f or Very High Dat a Rat e Digit al Subscriber Line and it current ly of f ers bandwidt h up t o 50 Mbit / s downst ream and 10 Mbit / s upst ream. VDSL brings t he possibilit y of using new t echnologies such as IPTV. Wit h IPFire, a convent ional rout er can be replaced by a f ull-f ledged syst em t hat brings t he IPTV st ream int o your own home net work. ADSL/ SDSL Convent ional DSL is also support ed, alt hough it is t echnically called also PPPoE or PPPoA. In some count ries, t he PPTP prot ocol is also widely used and it is also f ully support ed by IPFire. Et hernet Over Et hernet , IPFire can also be connect ed t o t he Int ernet and obt ain an IP address eit her via DHCP or st at ic conf igurat ion. 4G/ 3G Mobile broadband connect ions over USB modems, which are also known by t he names UMTS, 3G, CDMA, HSDPA or LTE are also support ed by IPFire. Web proxy IPFire includes a f ull-f ledged web proxy, which is t he well-known, open-source sof t ware Squid. It is used by ISPs, universit ies, schools and large companies use because of it s diversit y, st abilit y and mat ure development . Even f or small home net works, it is a usef ul f eat ure. In addit ion t o t he st at ef ul paket inspect ion (SPI) f ilt ering by t he f irewall on t he TCP/ IP layer, t he web cont ent which is t ransmit t ed over HTTP, HTTPS or FTP can be analyzed and f ilt ered as well. Securit y: The client does not query web servers direct ly, it queries t he proxy f irst . The server response goes back t o t he proxy and not t o t he client , which act ually does not t echnically even appear on t he Int ernet . A relat ed at t ack would t heref ore primarily reach t he proxy and not t he client . There are also f unct ions available f or dat a privacy, which is an signif icant advant age in comparison t o a pure NAT rout er. Aut hent icat ion: Using t he access list s, t he web proxy can also be conf igured t o allow access only af t er a user has been aut hent icat ed. At t his point you have t he choice bet ween LDAP, ident d, Windows, Radius or local aut hent icat ion met hods. The web proxy can connect , f or example t o a Microsof t Windows domain cont roller and only t he users of t hat Windows domain can be grant ed access t o t he Int ernet . Aut horizat ion: If t he Int ernet access needs t o be limit ed t o specif ic t ime of a day, or if it should be even complet ely disabled f or any client s, is t his easily conf igured by t he net work-based access cont rol, which can also be f ound on t he IPFire web int erf ace. A usef ul applicat ion f or t his f eat ure can be f or example, a school classroom. Logging: Since each access can be logged over t he proxy, possibilit ies f or t he examinat ion of t he accessed cont ent can be very usef ul, as well as st at ist ics and bills can be issued af t erwards. Through t he use of a logf ile analyzer named Calamaris, log f iles can be chart ed by varying crit eria on t he IPFire web int erf ace. Bandwidt h management : The download management f unct ion allows f or cont rol of t he bandwidt h t o specif ied zones. Thus, cont ent -based t hrot t ling (f or example f or binary f iles, CD images or mult imedia cont ent ) is conf igurable wit h bandwidt h limit at ions f or individual zones or f or each host in a part icular zone. Cont ent f il t er SquidGuard is a URL f ilt er add-on which is connect ed via t he redirect or mechanism of t he proxy. The heart of SquidGuard is somet hing called a "blacklist ." This is a cont ent cont rol list creat ed by t he of f icial sit e. These list s cont ain a number of cat egorically-classif ied websit es and can be kept up-t o-dat e aut omat ically. There are dif f erent , independent sources f or pre- built blacklist s available, which allow among ot her classes f ilt ering f or adult cont ent , shopping, warez, social net working, or sit es cont aining violent / abusive cont ent . Individual ext ensions f or part icular domains or URLs can be set up on t he IPFire web int erf ace f or blacklist s and whit elist s as well. IPFire also of f ers a black list edit or, t hat makes t he edit ing and creat ing your own blacklist s quit e easy. Possible areas of applicat ion f or t he SquidGuard on IPFire are: Block or rest rict Int ernet cont ent condit ionally by t ime, user and/ or comput ers. Prevent ing access t o cert ain (eg. yout h-endangering) pages and cont ent cat egories. Hiding advert ising. Updat e accel erat or The Updat e Accelerat or is a f eat ure t hat can great ly accelerat e deploying updat es f or operat ing syst ems. All downloaded updat es are cached and if request ed anot her t ime, are delivered f rom t he cache. For example, Service Packs f or Microsof t Windows (which of t en are several hundred megabyt es) are cached f or f ut ure ret rieval, as well as virus scanner def init ion updat es and ot her product updat es which t he syst em aut omat ically ident if ies. This saves a massive amount of t ime when updat ing large amount s of comput ers (such as corporat e net works). Transparent virus scanner The package manager Pakf ire of f ers t he addon SquidClamAV - a virus scanner f or t he web proxy. This checks in real-t ime all web t raf f ic f or viruses, ut ilizing t he ClamAV virus def init ions and scanning engine. The addit ional prot ect ion t o a convent ional virus scanner lies in t he f act t hat t he f iles are t ransparent ly checked bef ore ever making it t o t he client machine bef ore t he client machine' s virus scan can be perf ormed. So pot ent ially-malicious f iles are blocked by SquidClamAV bef ore t he client ' s act ual download. Crypt ography Crypt ography is one of t he f oundat ions f or various services like VPNs and secure communicat ion on t he Int ernet . Theref ore, IPFire is put t ing an emphasis on t his t opic. Hardware Accelerat ion IPFire 2.15 - Core Updat e 77 IPFire can use various crypt o processors like t hose t o be f ound in AMD Geode CPUs, t he VIA Padlock or CPU ext ensions like AES-NI of recent Int el and AMD CPUs. These help us t o achieve much bet t er t hroughput where ever dat a is sent t hrough an encrypt ed t unnel. List of support ed crypt o hardware (ht t p:/ / wiki.ipf ire.org/ en/ crypt ography/ hardware) Random Number Generat ors IPFire 2.15 - Core Updat e 77 IPFire is also able t o use various random hardware number generat ors t o seed t he kernel' s ent ropy pool. That ent ropy is needed t o generat e secure keys and speeds up crypt ographic operat ions as well. List of support ed hardware random number generat ors (ht t p:/ / wiki.ipf ire.org/ en/ crypt ography/ ent ropy) VPN Virt ual Privat e Net works IPFire also includes f unct ionalit y t o creat e virt ual privat e net works (VPN). A VPN is a gat eway which connect s remot e net works t o t he local one using an encrypt ed link. Uses f or a VPN include business connect ions t o branch of f ices or dat acent ers, as well as providing t raveling st af f wit h a secure port al t o t he corporat e net work. For maximum f lexibilit y, IPFire uses bot h IPsec and OpenVPN prot ocols, giving administ rat ors maximum f lexibilit y when conf iguring t heir VPN. Use of t hese prot ocols allows IPFire t o connect t o a variet y of VPN endpoint devices by manuf act urers such as Cisco, Juniper, Checkpoint , et c. IPsec IPsec is a widely-deployed VPN solut ion t hat was originally developed t o be used in conjunct ion wit h IPv6. Because it was so secure and IPv6 was so slowly deployed, it was backport ed t o secure IPv4 t raf f ic as well. In cont rast t o SSL-VPNs, IPsec is hard t o set -up. In IPFire, we t hought about how t o make t his t echnology easy-t o-use and as a result , t here is a web user int erf ace t hat handles all set t ings and t akes care of t he rest of t he conf igurat ion f or you. It also keeps t he t unnels alive and re- est ablishes t hem aut omat ically af t er a remot e sit e has lost t he connect ion. A secure connect ion t o a branch of f ice, a business part ner, or a home of f ice is done wit hin a couple of minut es and compat ible wit h all ot her implement at ions. This high-level of compat ibilit y is achieved by using t he f ree implement at ion called st rongSwan (ht t p:/ / www.st rongswan.org). It is maint ained by Andreas St ef f en, who is a prof essor f or securit y in communicat ions and head of t he Inst it ut e f or Int ernet Technologies and Applicat ions at t he Universit y of Applied Sciences Rapperswil, in Swit zerland. St rongSwan also works wit h all current , major operat ing syst ems, such as Microsof t Windows 7, Microsof t Windows Vist a and Mac OS X. OpenVPN OpenVPN is a f requent ly-encount ered and most popular represent at ive of t he class of Open Source SSL VPNs. It s relat ive ease of conf igurat ion has again, been made easier by t he IPFire web int erf ace. The f irewall set t ings are cont rolled by IPFire aut omat ically, as well as t he required cert if icat es will be generat ed wit h a f ew mouse clicks and can be downloaded and dist ribut ed as a very compact client package. Due t o it s high compat ibilit y t o all sort s of operat ing syst ems, such as Microsof t Windows, Mac OSX, Linux, Android and many more, it is perf ect ly usef ul f or roadwarrior connect ions. Wit h t hose, it is easy t o connect your lapt op, phone, t ablet or ot her devices t o your company net work, which makes it easy t o work f rom anywhere in t he world. But besides connect ing port able devices, OpenVPN can also be used t o securely connect branches t o t he headquat er. This makes it easy t o access resources on ot her net works remot ely wit hout any complicat ed conf igurat ion on each client on your local net work. Int rusion det ect ion syst em An Int rusion Dect ion Syst em (or IDS), is a piece of sof t ware designed t o det ect at t acks against comput er syst ems and net works. Thereby t he IDS will analyze t he net work t raf f ic and search f or at t ack samples. If someone scans t he port s of t he IPFire-Syst em t o see which services are available, t he IDS will immediat ely not ice it . An Int rusion Prevent ion Syst em (or IPS), in addit ion t o t he det ect ion syst em, will perf orm act ions. The IPS get s t he inf ormat ion f rom t he IDS and react s accordingly. That means, recalling t he example above wit h t he port scan, t he syst em would aut omat ically block t he at t acker immediat ely in order t o prevent f urt her inquiries. It is possible t o use IDS and IPS on t he IPFire syst em. We call t his syst em "Int rusion Det ect ion and Prevent ion Syst em" (or IDPS). A very import ant deput y of t his syst em is Snort , t he f ree Net work Int rusion Dect ion Syst em (NIDS). It analyzes t he net work t raf f ic and if somet hing abnormal happens, it will log t he event . IPFire gives you t he possibilit y t o see it very explicit ly in t he web int erf ace. For aut omat ic prevent ion, IPFire has an add-on called Guardian which can be inst alled opt ionally. An IDPS is a wise addit ion t o t he normal packet f ilt er. It makes int elligent decisions about incoming and out going net work t raf f ic and how t o deal wit h it . Qualit y of Service Qualit y of Service (QoS) is able t o save t he qualit y of a service on one int ernet connect ion. This means t hat on a highly-ut ilized int ernet connect ion, a service (f or example VoIP) get s a st able size of bandwidt h, t o t ransf er t he inf ormat ion wit hout delay and wit hout loss. This is at t he expense of t he ot her dat a f lows on t he line, which is t olerat ed, albeit t ransmit t ed more slowly (such as a f ile upload t o an FTP server). QoS does not only increase t he f unct ionalit y of real-t ime services, but also of f ers a lit t le bit of overall improvement . For example: Connect ions est ablish much f ast er. This is works very well on busy links. Connect ions are much more st able. Every service get s a minimum, guarant eed amount of bandwidt h. For t he classif icat ion of t he packet s, a Level-7-Filt er is used. It also analyses t he cont ent , as well as t he source-port s/ IPs, and dest inat ion-port s/ IPs of t he packet s. Wit h t hat analysis, it will decide if it ' s a long download or a real-t ime prot ocol and t hen subsequent ly det ermines t he opt imal use of t he connect ion. To put all in a nut shell, QoS reduces t he lat ency and packet loss of an int ernet connect ion. This is cert ainly a f unct ion t hat you don' t want t o miss where bandwidt h is limit ed. Hardware Since IPFire is based on a recent version of t he Linux kernel, it support s most of t he lat est hardware such as 10Gbit net work cards and a variet y of wireless hardware out of t he box. The IPFire developers are very concerned wit h t he abilit y t o run IPFire as many syst em variat ions as possible. This helps IPFire t o run on older or cheap hardware, as well as high- perf ormance syst ems. Minimum syst em requirement s are an Int el Pent ium I (i586), 128MB RAM and 2GB hard drive space. Some add-ons have ext ra requirement s t o perf orm smoot hly. On a syst em t hat f it s t he hardware requirement s, IPFire is able t o serve hundreds of client s simult aneously. Heads up: More archit ect ures in development ! The IPFire project is always int erest ed in creat ing syst ems which save t he environment . The ARM archit ect ure consumes much less power and cert ainly has a lot of pot ent ial. Virt ualizat ion (ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ hardware/ hwt emp-1.png?v=4c4c0) IPFire brings many f ront -end drivers f or high-perf ormance virt ualizat ion and can be run as virt ual guest operat ing syst em on t he f ollowing virt ualizat ion plat f orms. It has also been opt imized t o some of t he most ly dist ribut ed ones t o bring t he best possible perf ormance wit hout impact ing t he hardware very much. Support ed hypervisors KVM KVM (ht t p:/ / www.linux-kvm.org) is short f or Kernel-based Virt ual Machine and is developed by Red Hat Inc. (ht t p:/ / www.redhat .com). It is becoming t he most advanced hypervisor and succeeding Xen, which has been used so f ar. IPFire is coming wit h t he virt io kernel modules, t hat have best perf ormance due t o very less virt ualizat ion overhead. VMware IPFire runs on dif f erent VMware product s like vSphere, ESXi and VMware workst at ion. The addit ional package open-vm-t ools of f ers t ools f or a bet t er int egrat ion. Xen Xen has recent ly been t he de-f act o Open Source hypervisor but is now succeeded by KVM. IPFire can opt ionally be run wit h a paravirt ualized kernel, which has very less virt ualizat ion overhead as well. To make t he inst allat ion very easy, a pregenerat ed Xen image can be downloaded f rom t he download page. Ot hers IPFire is not limit ed t o t he hypervisors described above. It runs perf ect ly on Qemu, Microsof t Hyper-V or Oracle Virt ualBox, t oo. A not e on virt ualizat ion Virt ualizat ion does have advant ages, but it is not wit hout disadavant ages. There is always t he possibilit y t hat t he VM cont ainer securit y can be bypassed in some way and a hacker can gain access beyond t he VM. Because of t his, it is not suggest ed t o use IPFire as a virt ual machine in a product ion-level environment . Press (/ press) Imprint (ht t p:/ / www.ipf ire.org/ imprint ) 2014 - IPFire is f ree sof t ware Wireless Access Point IPFire of f ers several opt ions f or t he int egrat ion of wireless client s. First , an access point can be connect ed via a LAN card. In t his scenario, IPFire of f ers MAC/ IP address f ilt ering t o allow only aut horized client s. The client s are allowed by def ault t o access t he Int ernet , but t hey are not allowed access t he local LAN. The second opt ion is t o inst all a wireless LAN (WLAN) card in t he IPFire machine t hat t akes t he f unct ionalit y of t he access point over, using t he add-on "host apd". This add-on support s bot h unencrypt ed and WPA/ WPA2-encrypt ed connect ions. Also t he use of 5 GHz (802.11a st andard) is possible if t he wireless card support s it . Wireless card support in IPFire is excellent . The drivers in t he st able kernel are very up-t o- dat e and IPFire t heref ore support s a signif icant amount of WLAN cards. (ht t p:/ / st at ic.ipf ire.org/ st at ic/ images/ screenshot s/ en/ virt ualizat ion/ virt -manager-1.png? v=a4a1f )