IPFire Wishlist

Crowd funding for the IPFire project

The wishlist is the IPFire crowd funding platform where you can donate to accelerate the development of your favorite features.

It's easy! Just pick the wish you would to see implemented in the future. Hit the donate button and donate the amount of money this feature is worth for you. After that tell your friends and collegues about it and encourage them to promote your favourite wish as well.

GeoIP-based firewall rules

This crowd-funding feature is supposed to make your firewall ruleset smaller and more effective with geographically based blocking: GeoIP Block

Attackers originate from all sorts of places in the world. Often huge networks of bots scan the entire Internet for services that are publicly accessible and possible to exploit. With GeoIP-based blocking it is possible to mitigate many of those scans to take off the load of the firewall engine and to secure the services your network is offering.

In short terms: All packets that originate from an IP network registered in that country are dropped. As an example, this enables you to allow connecting to your OpenVPN server just from your own country and not from anywhere else in the world. Outgoing connections will not be filtered so that surfing on foreign sites is not affected.

It will be possible to enable this feature globally for the entire firewall ruleset or for indiviual rules, incoming and outgoing at the same time. So here are some more pretty neat use cases:

  • Stop malware. Some malicious software connects to command and control (C&C) servers in certain countries. Creating an outgoing rule that stops access from the local networks to those countries and a certain port number will stop that.
  • Allow access to remote administrations just from your own country. Unless you are travelling you will still be able to access those services from almost anywhere, but it will not work to scan your IP address for any open services from abroad.
  • If you operate a mail server which receives lots of spam from countries you usually don’t communicate that much with, you can combine the GeoIP-Block feature with the rate-limiting feature that was recently introduced. If more than a certain number of connects from that country to your mail server are open (let us say just one), you can drop all the rest. Receiving email from there will still be possible with a delay, but huge spam botnets that send you spam email in bulk will not be able to send that much spam any more.

The other features of the new firewall GUI and this new GeoIP-Block feature together make the IPFire firewall once again more powerful and enhance its use-case. Please help us implementing this feature with your donation.

In case you cannot decide for which feature your donation should be used, click here.
Do you think we are missing a great feature that could be funded by the community? Write us an email about it to:
Already closed fundings are to be found over here.