Custom IP Blacklist

Hello all,

where is the best way to store external IP addresses in ipfire from which no connection may be accepted or clients may send data.

I am concerned about this Artiekle here and the mentioned IP list.

Totgesagte leben länger: Emotet ist zurück
Browse Botnet C&Cs

Paul

Hi Paul,
i use IPSet → wiki.ipfire.org - IPset for stuff like this but since those lists are not that extensive you can may also integrate it in the FW groups but take care to update it since those IPs won´t last long…

Best,

Erik

Hi,

just for the sake of completeness: If you are using the IPS, at least the ET community ruleset contains the C&C servers tracked by FeodoTracker:

True, this is a rather costly way to block things, but at least you are safe from these C&C servers without leaving IPFire’s web interface. :slight_smile:

Thanks, and best regards,
Peter Müller

1 Like

What kind of rule sets do they recommend when operating at home?

This is what I currently have activated.

My Options:

MfG Paul

Hi,

unfortunately, there is no general answer to your question.

Looking at the screenshots you provided, two aspects come to my mind:

  • Enable the IPS on all interfaces, not just the RED one.
    That way, you gain additional coverage on internal network traffic, and get better information on rules applying on outgoing traffic, since you will have the client’s IP address logged, not just the external IP address on your RED interface.
  • Personally, I’d enable the following rulesets in addition:
    • drop.rules (contains hostile networks safe to drop)
    • emerging-dns.rules (since you are using DNS, and it is an important, yet often underestimated attack vector)
    • emerging-exploit_kits.rules (in addition to emerging-exploit.rules)
    • emerging-voip.rules (if you have VoIP clients behind your IPFire)
    • emerging-web_clients.rules (applies to attacks against web browsers)

Please refer to this blog post for a more general advice.

Thanks, and best regards,
Peter Müller

1 Like