The firewall options page provides an easy way to modify different firewall options in a graphical way or to adjust the logging characteristics on multiple network packets. One of the most important point is to take control on the policy and the default behavior of the forward and outgoing firewall.


This part has been moved to Masquerading/NAT.


This section allows you to individualize the logging output of dropped network packets by your firewall.

Log dropped new not SYN packets

When a system is connected to the internet with a dynamic IP and the used address has been changed, you may receive traffic which was addressed to the former owner of this address. This could happen because in some cases the sender didn't get informed that the address of his recipient has been changed and network packets of established connections will be sent to you. Also, sometimes attackers try to bypass very poorly written firewalls by arbitrarily emitting packets without the SYN flag. IPFire will mark them as new but without a known connection. They will be dropped and logged by the firewall as "new not SYN" packets which will show in the Logs as DROP_NEWNOTSYN records

Log dropped packets classified as INVALID by connection tracking

In addition to the "new not SYN" check, IPFire tracks the flow of established connections by using conntrack, to ensure attackers cannot inject their own packets into the network, even if they managed to bypass "new not SYN". Also, some protocols establish connections related to others, which look like new ones to cheap packet filters, but are actually part of an established network communication.

conntrack flags packets not belonging to any already established connection as being INVALID, and drops them. This option allows you to toggle logging for such packets. They will have the DROP_CTINVALID logging prefix.

Log dropped input packets

Packets which have been dropped by the firewall input chain get logged. With this feature you can switch on/off the logging of them.

Log dropped forward packets

Like to the option above, but the logging of dropped forward packets can be adjusted.

Log dropped outgoing packets

Similar than input packets. The logging of dropped outgoing packets can be changed.

Log dropped portscan packets

This option can be used to disable the logging of all dropped packets which have been recognized to be potential bad TCP traffic, such as being poorly syntactically invalid. Port scanners usually emit such packets.

Log dropped wireless input packets

This function allows you to disable the logging when traffic of unauthorized clients on the blue network zone got dropped.

Log dropped wireless forward packets

By using this option, the logging of dropped network packets from the blue to the green or orange zone can be disabled or re-enabled.

Log dropped spoofed packets and martians

This option allows you to enable or disable logging of packets being detected as a network spoofing attempt, or arriving on interfaces IPFire knows they cannot legitimately arrive on.

Firewall options for RED and BLUE interface

Part of this section only will be displayed after a blue network zone has been installed and configured. It can be used to change the firewall characteristics on this network zone for different known cases.

Drop packets from and to hostile networks

Enabling this option will cause any network traffic from or to an IP address being flagged as hostile to be dropped and logged. The list of IP networks being affected by this primarily comes from Spamhaus DROP, defining "hostile networks" as "netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers)". The rationale behind this is to provide IPFire uses with a basic protection against the "baddest of the bad" areas of the internet, being enabled by default.

IPFire distributes these list via the IPFire Location database, and uses the special country code XD in the web interface for them. It is also possible to create firewall rules using this country code, but not necessary if this option is enabled.

This option applies to the red interface only, and it is highly recommended not to disable it.

Drop all packets not addressed to proxy

When using this option, all network packets which are not designated for the web-proxy-server will become dropped. This option applies to the blue interface only.

Drop all Microsoft ports

This feature can be used to prevent clients on the blue zone from using Microsoft related services like SMB file shares or printing service. All requests to the network ports 135,137,138,139,445 and 1025 will be dropped. This option applies to the blue interface only.

Firewall settings

This sub-section offers the ability to customize the look and feel of some elements on the firewall rules and creation page.

Show colors in ruletable

When enabling this option coloured borders on all existing rules will be displayed. This feature can provide you a better overview of your ruleset.

Show colors in ruletable = off Show colors in ruletable = on (default)

Show remarks in ruletable

This option is used to hide all created remarks on the firewall rules page.

Show remarks in ruletable = off Show remarks in ruletable = on

Show empty ruletables

The corresponding ruletables are hidden unless at least one rule has been created. When enabling this option the empty tables also get displayed on the firewall rules page.

Show empty ruletables = off (default) Show empty ruletables = on

Show all networks on rule creation site

Various elements are hidden if they are not used like VPN zones or host/service groups on the page where new firewall rules can be created. This option can be used to display them anyway.

Show all networks on rule creation site = off (default) Show all networks on rule creation site = on

Firewall policy & default behaviour

Detailed information about this very important tasks can be found here.