Part of the IPFire Security Hardening Guide

Implementation Scale

This guide uses two scales:

Impact (security benefit) A. MAJOR B. SIGNIFICANT C. MINOR
Effort (to implement) 1. LOW 2. MEDIUM 3. HIGH

See the Security Guide introduction for a more detailed explanation of the scale.

Remove unused IPFire Addons

Impact Effort

If you have installed any Addons in IPFire which you no longer use, remove them. This will reduce the attack surface of your IPFire system.

  • Uninstall Addons which you are not using with PakFire in the WUI

Do not enable IPv6

Impact Effort

IPv6 is disabled by default in IPFire. For security reasons it is recommended that you do not enable it.

Although IPv6 may be the future of addressing on the internet, today most fixed-internet ISPs still provide an IPv4 address. IPv6 allows all devices on your network to be visible from the internet. It was long thought that searching for devices in your network wasn't viable, due to the high number of possible addresses. However it has recently been shown that there are smart ways around this.

  • Do not enable IPv6, unless you understand the full implications of using it
  • Avoid using "dual-stack" IPv4 and IPv6 at the same time. This exposes your system to the potential of more security bugs than if you just used one of the two IP versions.

Don't host services from your network

Impact Effort

Host services like email and web servers in a cloud environment and not on your internet connection. This will avoid making your network a target (as there won't be any interesting services visible) and significantly reduces the opportunities for an attack to be successful.

  • Make your network a smaller, less interesting, target by not hosting any services on it.
  • If you really need to host services from your network, ensure you follow best-practice by using a DMZ and setting up DMZ pinholes.

Do not run IPFire in a virtual machine

Impact Effort

Although IPFire will run effectively in a virtual machine, it is ideal to run any security software (such as a firewall router) on a separate physical machine. Running IPFire on a physical machine removes the possibility that another VM or the virtualization environment could become compromised and in turn compromise your IPFire firewall or cause a denial of service by consuming resources (network, disk, CPU or memory).

  • Where possible, for security purposes run IPFire on a physical computer

IPFire is usually used in a position of trust as your internet gateway and if it is compromised it will be difficult to defend the rest of your network.

Block Tor

If you don't use it, block tor traffic as malware can use it for command and control purposes.