IPFire is a hardened

open source Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...

Linux distribution A Linux distribution (often abbreviated as distro) is an operating system made from a software collection that includes the Linux kernel and, often, a package management system. Linux users usually obtain their operating system by downloading one ...

that primarily performs as a router and a

firewall Firewall may refer to: * Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts * Firewall (construction), a barrier inside a building, designed to limit the spre ...

; a standalone firewall system with a web-based management console for configuration. IPFire originally started as a

fork In cutlery or kitchenware, a fork (from la, furca 'pitchfork') is a utensil, now usually made of metal, whose long handle terminates in a head that branches into several narrow and often slightly curved tines with which one can spear foods ei ...

of IPCop and has been rewritten on basis of

Linux From Scratch ''Linux From Scratch'' (LFS) is a type of a Linux installation and the name of a book written by Gerard Beekmans, and as of May 2021, mainly maintained by Bruce Dubbs. The book gives readers instructions on how to build a Linux system from sou ...

since version 2. It supports installation of add-ons to add

server Server may refer to: Computing *Server (computing), a computer program or a device that provides functionality for other programs or devices, called clients Role * Waiting staff, those who work at a restaurant or a bar attending customers and su ...

services, which can be extended into a

SOHO Soho is an area of the City of Westminster, part of the West End of London. Originally a fashionable district for the aristocracy, it has been one of the main entertainment districts in the capital since the 19th century. The area was develop ...

server. In April 2015, the project became a member of the

Open Invention Network Open Invention Network (OIN) is a company that acquires patents and licenses them royalty-free to its community members who, in turn, agree not to assert their own patents against Linux and Linux-related systems and applications. History The co ...

System Requirements

The basic requirements are at least a 1 GHz CPU, 1GB of RAM, and a 4GB hard drive. Two

network cards A network interface controller (NIC, also known as a network interface card, network adapter, LAN adapter or physical network interface, and by similar terms) is a computer hardware component that connects a computer to a computer network. Ear ...

are needed to connect to an Ethernet network.

DSL Digital subscriber line (DSL; originally digital subscriber loop) is a family of technologies that are used to transmit digital data over telephone lines. In telecommunications marketing, the term DSL is widely understood to mean asymmetric di ...

LTE LTE may refer to: Science and technology * LTE (telecommunication) (Long-Term Evolution), a telephone and mobile broadband standard ** LTE Advanced, an enhancement *** LTE Advanced Pro * Compaq LTE, a line of laptop computers produced by Compaq * ...

and

Wi-Fi Wi-Fi () is a family of wireless network protocols, based on the IEEE 802.11 family of standards, which are commonly used for local area networking of devices and Internet access, allowing nearby digital devices to exchange data by radio wave ...

(

WLAN A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office building ...

) are supported, too, with according hardware. The required

computing power In computing, computer performance is the amount of useful work accomplished by a computer system. Outside of specific contexts, computer performance is estimated in terms of accuracy, efficiency and speed of executing computer program instruction ...

to run IPFire depends on the area of application. Most commonly, x86 systems are being used, but

ARM In human anatomy, the arm refers to the upper limb in common usage, although academically the term specifically means the upper arm between the glenohumeral joint (shoulder joint) and the elbow joint. The distal part of the upper limb between the ...

devices, such as

Raspberry Pi Raspberry Pi () is a series of small single-board computers (SBCs) developed in the United Kingdom by the Raspberry Pi Foundation in association with Broadcom. The Raspberry Pi project originally leaned towards the promotion of teaching basic ...

Banana Pi )Guangdong BiPai Technology Co., Ltd. ( zh, 广东比派科技有限公司) , marketing_target = Global , price = , soc = , cpu = , graphics = , storage = , memory = , os = Linux (incBananian Raspberry Pi OS, Armbian, Lubuntu, Fed ...

, are supported, too. IPFire can be used in virtual environments (such as KVM,

VMWare VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture. VMware's desktop software ru ...

XEN Xen (pronounced ) is a type-1 hypervisor, providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently. It was originally developed by the University of Cambridge Computer Laboratory an ...

Qemu QEMU is a free and open-source emulator (Quick EMUlator). It emulates the machine's processor through dynamic binary translation and provides a set of different hardware and device models for the machine, enabling it to run a variety of guest ...

, etc.). The basic setup of IPFire happens over a guided dialogue on the console, and the further administration takes place on the web-based management interface, such as add-ons and additional features.

System Details

The project is regularly updated by the development team to maintain the security. Developed as a stateful packet inspection (SPI) firewall. IPFire separates the network into different segments based on their security risk which are organised in colours. Normal clients connected to the LAN are represented as green, the Internet is represented as red, an optional

DMZ A demilitarized zone (DMZ or DZ) is an area in which treaties or agreements between nations, military powers or contending groups forbid military installations, activities, or personnel. A DZ often lies along an established frontier or bounda ...

is represented as orange and an optional Wireless network is represented as blue. No traffic can flow between segments unless specifically permitted through a firewall rule. IPFire's package management system, called Pakfire allows to install system updates, which keep security up to date, and additional software packages for customisation to different usage scenarios and needs. The

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, which ...

system is customised for the concrete purpose of a firewall. The design is modular, making its functionalities extensible through plugins, but the base comes with the following features * Stateful packet-inspection

based on

Netfilter Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Netfilter offers various functions and operations for packet filtering, network addre ...

Proxy server In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource. Instead of connecting directly to a server that can fulfill a request ...

with content filter and catching-updates functions (e.g. Microsoft Windows updates, virus scanners, etc.) *

Intrusion detection system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

( Snort) with the option to install the

Intrusion Prevention System An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

''guardian'' via ''Pakfire'' *Since Core Update 131 it features the

intrusion prevention system An intrusion detection system (IDS; also intrusion prevention system or IPS) is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically rep ...

Suricata ''Suricata'' is a genus of mongoose that is endemic to Africa. The oldest species known is the extinct '' Suricata major'' that lived about 1.8 million years ago in South Africa South Africa, officially the Republic of South Africa (RSA) ...

" instead of snort *

Virtual private network A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The be ...

(VPN) with

IPsec In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...

and

OpenVPN OpenVPN is a virtual private network (VPN) system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It implements both client and server appl ...

Dynamic Host Configuration Protocol The Dynamic Host Configuration Protocol (DHCP) is a network management protocol used on Internet Protocol (IP) networks for automatically assigning IP addresses and other communication parameters to devices connected to the network using a cli ...

(DHCP)

Caching In computing, a cache ( ) is a hardware or software component that stores data so that future requests for that data can be served faster; the data stored in a cache might be the result of an earlier computation or a copy of data stored elsewher ...

name-server (supports

DNSSEC The Domain Name System Security Extensions (DNSSEC) are a suite of extension specifications by the Internet Engineering Task Force (IETF) for securing data exchanged in the Domain Name System (DNS) in Internet Protocol (IP) networks. The protocol ...

) *

Time server Time is the continued sequence of existence and events that occurs in an apparently irreversible succession from the past, through the present, into the future. It is a component quantity of various measurements used to sequence events, to co ...

* Wake-on-LAN (WOL) *

Dynamic DNS Dynamic DNS (DDNS) is a method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DDNS configuration of its configured hostnames, addresses or other information. The term is used to desc ...

Quality of service Quality of service (QoS) is the description or measurement of the overall performance of a service, such as a telephony or computer network, or a cloud computing service, particularly the performance seen by the users of the network. To quantitat ...

(QoS) *

System monitor A system monitor is a Computer hardware, hardware or software component used to monitor system resources and performance in a computer system. Among the management issues regarding use of system monitoring tools are resource usage and privacy. ...

ing functions and log analysis * GeoIP filtering *

Captive Portal A captive portal is a web page accessed with a web browser that is displayed to newly connected users of a Wi-Fi or wired network before they are granted broader access to network resources. Captive portals are commonly used to present a landing ...

IPFire Location

The IPFire Project built a free

Internet geolocation In computing, Internet geolocation is software capable of deducing the geographic position of a device connected to the Internet. For example, the device's IP address can be used to determine the country, city, or ZIP code, determining its geogra ...

database published under the

Creative Commons license A Creative Commons (CC) license is one of several public copyright licenses that enable the free distribution of an otherwise copyrighted "work".A "work" is any creative material made by a person. A painting, a graphic, a book, a song/lyrics ...

. It is being used by

The Tor Project The Tor Project, Inc. is a Seattle-based 501(c)(3) research-education nonprofit organization founded by computer scientists Roger Dingledine, Nick Mathewson and five others. The Tor Project is primarily responsible for maintaining software for ...

to identify the location of

Tor Tor, TOR or ToR may refer to: Places * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor River, Western New Guinea, Indonesia Sc ...

nodes and relays.

References

External links

Official website

Website of IPFire Location

IPFire on OpenHub

Project presentation in Linux Magazine for CeBIT Open Source 2010 (in German)
{{Firewall software Free routing software Gateway/routing/firewall distribution Wireless access points Linux distributions used in appliances Firewall software Routing software Linux distributions without systemd Linux distributions

System Requirements

System Details

IPFire Location

See also

References

External links