Concept of the system
The foundation of IPFire is the high level of flexibility which lets us configure different versions of this operating system out of a single base. Beginning with a small firewall system of a few megabytes, it is possible to run IPFire as a file server or VPN gateway for staff, branches or customers. This modularity means that yor version of IPFire runs with exactly what you require and nothing more. All features are easily configured with the package manager, which also makes updates very easy.
We believe that this is the best way to provide security to a network. There is no way to distribute a static appliance because security means different things to different people, and changes over time. Security is more of a process paired with behaviour and restrictions. IPFire has been designed to be flexible enough to fit into any existing security architecture.
The primary objective in the development of IPFire is – of course – security. But it doesn’t mean there is only one way to achieve security. Rather, it is more important for every administrator to understand their environemnt and what security means in that context.
IPFire is the base of security for a local network. It has the power to segment the network based on their required security level. This makes it easy to create custom policies for each segment. See the firewall tab for more information.
Part of this focus on security involves the fast and reliable distribution of security updates of the system and its components. Updates are digitally signed and encrypted, and can be automatically installed by the Pakfire, the package manager. Since IPFire is directly connected to the Internet it is a primary target for hackers and bots. Pakfire helps administrators feel certain they are running the latest security updates and bug fixes.
From a technical point of view, IPFire is a minimalistic, hardened firewall system which comes with an integrated package manager called Pakfire. With a single click you can enhance the base system by providing network services.
Some interesting addons:
- File services such as Samba and vsftpd
- Communication Server Asterisk
- A collection of command line tools like tcpdump, nmap and traceroute
- and many more…
IPFire uses a firewall using Stateful Packet Inspection (SPI) which is built on top of netfilter, the Linux packet filtering framework. With the installation of IPFire, the network gets separated into different segments which represent a group of computers which share a common security level:
- Green represents a safe area. This is where all regular client computers reside. is usually comprised of a wired local network. Clients can access all other network segments without restriction
- Red, a color commonly indicating danger, represents the Internet. No access from the Internet is permitted to pass the firewall unless specially configured by the administrator
- Blue represents the wireless part of the local network, since it has its own unique potential for abuse. The color blue was chosen as it is the color of the sky. Clients on this network segment must be explicitly allowed before they may access the network
- Orange is commonly referred to as the demilitarized zone (DMZ). Any servers which are publicly accessible are separated from the rest of the network to limit extent of a security breach.
This scheme means there is a perfect place for each machine in the network. The various segments may be enabled separately depending on requirements. Additionally, the firewall can also control outbound Internet access from any segment. This gives the administrator ultimate control over how their network can be used.
IPFire may be enhanced to include a virtual private network (VPN) gateway which connects remote people and places to the local network using an encrypted link. This could be staff, friends, or anyone you’d like to share data with in a secure way. Businesses use VPNs to connect branch offices, datacenters, corporate partners, and to provide traveling staff with a portal into the corporate network.
IPFire uses both the IPSEC and OpenVPN protocols, affording the maximum in flexibility when configuring your VPN. These implementations allow IPFire connect to VPN endpoint devices by: Cisco, Juniper, Checkpoint, NetGear, or any Linux based implementation.
Based on a recent version of the Linux kernel 2.6 series, IPFire supports the latest hardware like 10Gbit network cards and wireless hardware out of the box. Requirements are minimal:
- an Intel Pentium I compatible CPU (i586), 128 MB RAM, and 1GB disk space
- For routing, at least 2 network interfaces are required. Alternatively, a 3G modem may be used.
The IPFire Developers are concerned with the ability to run IPFire on systems running as many variations as possible. This is what helps IPFire run on cheap hardware as well as high performance servers.
IPFire can be run as a virtual guest on the following hypervisors:
- Xen (paravirtualized and fully virtualized mode)
- VMWare (Workstation, vSphere, ESXi, …)
It brings many frontend drivers for high performance to all the hypervisors.
IPFire is licensed under the terms of the GNU General Public License in version 3, so it is free software. The success of the project depends upon donations to the community.
Free software allows (under the terms of the GPLv3):
- Free use for an unlimited amount time
- Review of the full source code
- Opportunity to take part in development and make own improvements
- Independence from a specific vendor