On this page, you will find a detailed description of all options and inputs on the rule creation page. This should help you with deciding which information you need to put in those fields in order to create firewall rules.

If you want to quickly create a Port-forwarding, Blue to Green pinhole, DMZ pinhole or Using Source NAT rule, please have a look at the short guides.

Source & Destination

Understanding the differences between the source and destination of a packet is mandatory to work with any kind of firewalls. You need to understand that a packet is traversing a path of multiple hosts on a network. The host, where the packet is created and sent is called source. The designated recipient is called destination.
A reply packet traverses the network in the opposite direction. The former destination is now the source and the former source is now the destination.

In IPFire, you may create groups of hosts, networks and even VPN connections, which make it very easy to select multiple hosts on a network as source or destination at once.

It is possible to choose a country (or a group of countries) as a source or destination. This might be useful if you want to provide a service for a few countries only, which might limit your attack surface. Please read the Location Block article for more information on this technique.

When you are going to create a new firewall rule, you have to make it clear to you what the source and what the destination host(s) is/are. The page where you create rules is split into two sections - the first one for the source and a second one for the destination:

Source/Destination Address

The most common option is to use a single IP address to grant some host access to a certain service. Just type in a valid IP address, network or (in some cases) a MAC address. Valid options are:

  • 00:aa:bb:cc:dd:ee


When using firewall groups which contain MAC addresses you can use them as source. When using them as target, only the IP addresses in this group are taken for the rule because the MAC addresses can not be used as target.

It is recommended to use the automatically generated templates when ever possible.

If you want to create a rule for one of the pre-defined networks (GREEN, BLUE, ORANGE, etc.), use the dropdown boxes. Doing it this way makes it much easier if your entire network changes address space.


The firewall dropdown menu allows an easy selection of the firewall's IP addresses. They can be selected to create rules which filter packets that are originating from or directly sent to the firewall system.

Standard Networks

With help of this menu, the available network zones (GREEN, BLUE, ORANGE and more) can be selected for create rules to control packets from and to those networks.

The list may have varying entries, depending on which services and networks you use.


All hosts, you have created in the firewall groups section can be picked from this list. This makes it very easy to change the IP address of a host, without changing multiple firewall rules.

Network/Host Groups

This works essentially like the Hosts section, but you can select the created groups of hosts and/or networks here.

OpenVPN Networks/Clients/Net-to-Net

These three options only show up if you have one or more OpenVPN client or Net-to-Net connections. Pick one of the items in these lists to find all packets from and to these hosts/networks.

IPsec Networks

This works exactly like the OpenVPN Networks dropdown menu, just that you may select one of your IPsec Net-to-Net connections here.


Network Address Translation (NAT) is the process of modifying IP address information in the IP packet header while in transit across different networks. In most cases NAT will be used to connect one or more networks to the Internet.

You may find detailed information about how NAT works in: Network Address Translation Reference

The "Use Network Address Translation (NAT)" checkbox needs to be checked to enable the address translation for this rule. After doing that, you must decide which kind of NAT rule you want to create: Supported are DNAT Rules (Port forwarding) and SNAT (Source NAT).

There are quick start guides available for setting up a port forwarding and how to create a Source NAT rule.


A more detailed documentation about protocols in generic and all supported one can be found here.

IPFire offers the ability to take control of a lot of different protocols. During the rule creation you may select a special protocol, a -Preset- for a known or custom created services, or simple create a rule that affects All protocols.

If the TCP, UDP or ICMP protocol has been selected, some additional items will be displayed, which offers the ability to bind the rule to a single port number or range or a special type of ICMP traffic.

When creating NAT rules with selected TCP or UDP protocol yet another item will be displayed. It is used to specify theExternal Port which will be forwarded to a given port and host.

Rule action

Every network package that is passing the chains of the firewall will match an existing rule. This could be an user or pre-defined rule - it is essential for every firewall rule to have an action.

There are three possible actions:

  • ACCEPT - The network package will be accepted and forwarded by the firewall.
  • DROP - Opposite of 'ACCEPT'; the network package will be dropped directly.
  • REJECT - This has the same effect as 'DROP', in addition the remote host will get an ICMP error message.

Additional Settings

This section offers the possibility to create a remark for rules and configure it's position in the firewall chain or enable/disable logging for them or the complete rule. As an optional feature the usage of time constraints for the created rules can be activated, which allows to bind the complete rule to a special period of time or moment.

Rule position

You may enter a number at which position the new rule will be added. As the firewall ruleset is evaluated from top to bottom, the order of the rules matters (read more in Rule Processing).

Otherwise, every new created rule will be appended at the bottom.

Activate rule

This checkbox only will be displayed while editing an existing firewall rule and can be unchecked to disable it.

Log rule

On default no custom created firewall rules will be logged on IPFire. In order to debug your ruleset or to track affected connection queries check this option during your rule creation to enable the logging for the firewall rule.

The recorded log entries can be accessed via the IPFire WUI on the log -> Firewall Logs" tab or by the /var/log/messages" file on your IPFire filesystem.


With the new option “Concurrent connections” you are able to limit the maximum amount of concurrent connections for a specific rule. With this option you are able to limit the maximum concurrent connections for a web server for example. Some attackers try to make services unavailable through many concurrent connections which leads to a service being no longer available.

Rate-Limit new Connections

With the option "Rate-Limit new connections", you are able to limit the number of connections that are established by a certain rule in a fixed amount of time.

This can be useful for dealing with SYN flood attacks, ping of death or port scanners and simply protect services behind the firewall from denial-of-service.

Use time constraints

In order to use time constraints, the checkbox "Use time constraints" has to be selected.

Additional options will be displayed where you can select the day(s) and a time period. The created firewall rule only has an effect on the configured day(s) and the chosen time period.

Time constraints can be used for various duties, for example to block or gain internet access in a defined time period of the day, restrict VPN client connections on the weekend, allow connections for scheduled maintenance tasks in the night, etc.

Rules which have Time constraints configured are only for new connections.
Example: if you are blocking Internet connections from 20:00 to 6:00, and you already have a connection established at 19:57, this connection will be allowed until it is closed. Any new connection after 20:00 will be dropped.