PROTECT YOURSELF
Build a dedicated firewall with IPFire
F
DEDICATED HARDWARE You need a machine with at least two Ethernet connections. ALL TOO OFTEN, we take our network security for granted. But leaving the integrity of your Internet connection to your router is tantamount to madness. That’s a device most likely selected by your ISP, a company probably not noted for its scruples, to hit the lowest possible price point. It’s massmarket hardware, probably not updated in eons, with the associated vulnerabilities and bugs of a machine that’s been hammered to death by all the port scans and hacker malice in the world. The good news is that installing a pro-level network appliance on your network is not even slightly difficult; Linux distro IPFire can perform the task very well, as long as you have the requisite hardware. It’s not looking for much in terms of specs—an original Pentium will suffice—but you need at least two Ethernet ports. A cheap USB Ethernet dongle should work as an extra port, or at least it did for us. 1 GATHER MATERIALS What exactly are we doing here? We’re building a network appliance, which is a piece of hardware that sits on your network and performs specific tasks; your existing router, for example, could be considered a network appliance. An IPFire box doesn’t have just one job, though. It’s a firewall first and foremost, but we can make it do much more, such as managing DNS and DHCP for our network. To put it in place, you need to have a dedicated PC, cabled between your Internet connection and the rest of the devices on your network. You don’t need a mouse or keyboard once it’s all sorted, but in order to hook it all up you need at least two Ethernet cables, a machine with two Ethernet ports, and the appropriate version of the IPFire distribution from www.ipfire.org. Make sure you expand the download options [ Image A] on the site, as we’re going to suggest you install this on a USB stick (so grab the disk image version rather than the ISO installer), and if you’re running on older hardware (we’re firing ours up on a 10-year-old Intel Atom netbook), you may need the 586 or ARM versions, rather than the X64 that’s offered up by default. Note that a properly configured pair of VirtualBox virtual machines is adequate for testing IPFire if you don’t yet have the requisite hardware; we’ll leave that particular configuration as a task for you…. 2 GET INSTALLED Installing IPFire is easier than it might look. Extract the gzipped .img.gz file using something like 7-zip or WinRAR, then write the resulting .img file to a USB drive or SD card using Win32DiskImager ( https://sourceforge. net/projects/win32diskimager), ensuring you write to the correct removable device. It’s not a tremendously difficult process, and since IPFire generally runs itself from a RAMdisk, there’s no need to worry about heavy writes being made to solid-state media. Nonetheless, if you’d rather install IPFire directly, you can do so using the ISO image instead. Boot from whatever media IPFire is installed on, and we can begin initial configuration. Select
your keyboard, select your timezone, and either give the machine a hostname or stick with the default. You also have to supply a domain name; if you’re already running a domain on your network, make sure you input the same name here—running IPFire on a separate domain wouldn’t make an awful lot of sense. Now input a root password (and make it a good one, because IPFire is supposed to be your main line of defense), and add a password for the admin user, which has rights to use its web interface, too. 3 NETWORK SETUP Configuring IPFire’s initial network options [ Image B] is, frankly, a little intimidating, but there’s no need to worry. Pick “Green + Red” under the “Network configuration type” menu (see “Zoning restrictions” on the right to find out what the different colors mean), and use the “Drivers and card assignments” menu to assign one of your Ethernet ports to the red Internet zone, and the other to your green zone, the home of your local network. If you have an identical pair of cards, just choose either one, and be prepared to swap cables between ports if IPFire appears not to work. Head over to the “Address settings” menu, and give the Ethernet adapter connected to your green zone an IP from the local range—we’d go for something along the lines of 192.168.1.1, but the likes of 10.x.x.x and 172.16.x.x are similarly valid. This address is where you’ll later access IPFire’s web interface, so make a note of it. For your red interface, we’re going to presume you’re using a broadband connection with a modem that doesn’t require any special credentials for access. In this case, just select “DHCP” [ Image C], and IPFire takes care of the rest. Lastly, it’s time to configure “DNS and gateway settings.” Inserting a public DNS server here is optional, but could mean an extra layer of integrity for your connection, and the DHCP server determines which addresses are made available to devices on your network. Make sure your IPFire box is set as the primary DNS, and that everything is running on the same subnet. 4 HARD FACTS We’re ready to go, right? Not quite. Make sure, if you’re attaching IPFire to a combined modemrouter, that it’s running in router-only mode, because having wireless access before your IPFire installation completely bypasses it, and defeats the object somewhat. Similarly, disable DHCP on any wireless routers you may be inserting into the green zone (we want IPFire to dole out the addresses). And here’s a trick that we didn’t learn until banging our heads against it for some hours: Don’t plug your green zone port into the “Internet” port of your wireless router. Plug it into one of the other ports
instead. The router might complain about not being able to connect to the Internet but, in our experience, if it’s only being used to generate wireless connections, that doesn’t matter in the slightest. 5 FRONT END All being well, IPFire should now be up and running. Give everything a reboot (modem, IPFire box, and any network hardware on the other end) just to make sure, then head over to IPFire’s web interface, which you’ll find either (by default) at https://ipfire .localdomain:444 or, substituting the IP address for the one you gave it earlier, at https://192.168.1.1:444. Log in with the username “admin” and the password you set earlier, and you can start poking around. Take your first look at the “DHCP server” page, in the “Network” section, to check that IPFire is serving up those internal IP addresses successfully—if everything’s working, you should see a table of IPs at the bottom of the page. By default, at least if you didn’t change the value during installation, each of these addresses is leased for a short amount of time; hitting the “Add” button next to a trusted device assigns it that IP address on a fixed basis [ Image D]. Knowing exactly where something is can be particularly useful when it comes to troubleshooting your network later on, so it’s worth doing. Now, using the “Edit” pencil, you can also change the device’s label, if it’s not quite obvious enough. 6 BLOCKING OUT IPFire’s place between your Internet connection and your network means it can do some pretty useful things. One of these is web filtering, enabling you to shield tiny eyes from the true horrors of the web. But before you can set that up, you need to enable IPFire’s proxy (“Network > Web Proxy”), which is its method of traffic interception. Check the boxes for both “Enable” and “Transparent” on your green network, then check the “URL filter” option on the row below, before scrolling down, and clicking “Save and Restart.” Once the page has refreshed, head over to “Network > URL Filter.” In its most simple form, you can use the filter to block specific domains and addresses, by inputting them in the custom blacklist boxes, and checking the box below. Alternatively, if you really want to lock down the majority of your network, a whitelist of allowed sites might be more your style. If you earlier gave your main machine a fixed IP address, we recommend adding it to the “Unfiltered” section lower down, so at least one machine on the network maintains full Internet access. There’s a further option, too: grabbing a vast list of spurious sites from a pre-built blacklist. You can do this automatically through IPFire’s interface (see the “Automatic Blacklist Update” section), but we don’t recommend it unless you’re running on some muscular hardware—checking every little thing against a massive database can make web surfing miserably slow. 7 FIREFIGHTING Of course, IPFire’s key feature is in its name: its detailed, hardcore firewall. Once you’ve had it up and running for a while, head over to “Logs > Firewall Logs” to see the kind of thing it’s catching in its default state. You’ll probably see a lot of “DROP_INPUT” entries, which are