This guide explains how to setup a rule to permit access to your IPFire from the outside world. Please checkout out the firewall rules reference for further description.


In the former firewall GUI that came with IPFire up to version 2.13, "External Access" was the term used to refer to rules that allow access from the outside world to various services running on your firewall system itself. For example, if your IPFire machine is also hosting a mail server or a web server, you would use an external access rule to allow Internet users to connect to those services. Please keep in mind, an external access rule may be a security risk and could be used to harm the system.

How to set it up?

To create a new external access rule, head over to the "firewall" tab on the IPFire Web User Interface and hit the "New rule" button.

Step 1: Source

In the first section, you have to define the source network or IP address from where the network packets will be sent. If possible, restrict access to a single host or a group of hosts, rather than allowing any host on the internet to connect.

Step 2: Destination

Now, you will need to pick the destination for your network packets. Because you are directing traffic to a service running on the firewall itself, select the Red interface.

Step 3: Protocol

Choose the service that you wish to make accessible to the outside world. While it is technically possible to select "All" here, that would allow an outsider to connect to any service running on the firewall, and would be a huge security risk. For that reason, choose only those services to which you need to provide access.

Step 4: Done

We are almost done, now. Just make sure that you select the "ACCEPT" option, so that all packets that match your rule are accepted by the firewall and don't forget to add a descriptive remark.

Optionally, you may specify at which time the rule is active only. See Creating Firewall Rules (reference) for all about this feature.

Congratulations. You finally set up an external access!