- Bind the WUI to trusted interfaces only and limit access with source IP controls.
- Enforce strong admin credentials and rotate them according to policy.
- Enable time synchronization (NTP) to keep logs and certificates valid.
- Use IPFire zone separation (
GREEN, RED, BLUE, ORANGE) as a mandatory boundary.
- Place user workstations and guest devices in separate zones.
- Deny inter-zone traffic by default and create explicit service rules.
¶ IDS/IPS and Threat Controls
- Enable Intrusion Detection/Prevention with curated rulesets.
- Disable low-value noisy signatures and keep high-confidence signatures enabled.
- Regularly update blocklists and confirm they do not break business-critical endpoints.
- Apply official Core Updates promptly after staging validation.
- Keep add-ons minimal and remove unused packages.
- Capture encrypted backups before each update window.
¶ DNS and Outbound Security
- Use DNS over TLS/validated upstream resolvers where feasible.
- Block direct DNS egress from client zones except through IPFire resolver.
- Restrict outbound ports and destinations for IoT and unmanaged assets.
¶ Logging and Audit
- Forward firewall and IDS logs to a SIEM or centralized syslog server.
- Monitor repeated blocked connections, brute-force attempts, and config changes.
- Periodically review local firewall rules for stale exceptions.