Hi,
welcome to the IPFire community.
Just to be clear on that: Closed-source software is a dealbreaker for us. We expect things to be open source if they wanted to have a chance to land in IPFire.
I read through their documentation and, to be honest, cannot really see the benefit of it. If I understood it right, CrowdSec is about reporting offending IP addresses (“offending” defined by the configurations of software reporting them), preemptively blocking them on any other CrowdSec installation.
There are numerous services like this already available. I do not really see the benefit in fragmenting this landscape even further.
At IPFire, I tend to care more and more about the outgoing traffic, not the incoming one. This is because we are quite good at filtering incoming traffic (that’s the minimum requirement for a firewall, isn’t it? ), and have things like the IPS available if any port has to be exposed to the internet.
On the other hand, people are pretty reluctant from regulating outgoing traffic, because this is hard, requires some knowledge on your network, and users are offended if something does not work afterwards. At IPFire, we try to make it easier to block outgoing network traffic to networks known as hostile (i. e. used for dissemination of malware, trojan downloaders, botnet controllers), and to improve the overall security, I think we should focus more on this side of the traffic.
Having information about IP addresses attacking other services is nice, but I would prefer a curated and freely available list of malicious IP addresses hosting cybercriminal infrastructure over it. To the best of my understanding, CrowdSec provides the former, not the latter.
That being said, you are invited to work on providing CrowdSec as an add-on. Please see here for further information on this topic.
Thanks, and best regards,
Peter Müller