Dropped packets percentage low in log

I have PI3b with 1 GB. The lack of memory limits using IPS and DNS firewall. I have web proxy enabled with “hacking” button selected. I have noticed that the percentage of dropped packets in my IP address blacklist log summary is low. Can someone explain how ipfire works here? What happens to the packets that get through? thanks

Hello,

When you use IP Address Blocklists, IPFire will create an ipset for each blocklist that you enable and then process packets for matches against that ipset.

An ipset is essentially a hash table stored in memory that provides fast lookup for large lists of IP addresses. If you want to see what is in an ipset, you can list the contents from the console. For example, to see the DSHIELD ipset:

ipset list DSHIELD

The ipset matches are done in the BLOCKLISTIN and BLOCKLISTOUT iptables chains which contain the rules for the ipset matches.

This is how a packet sent to a host behind the firewall will be processed by IPFire:

Since the packet is sent to a host behind the firewall, it will be processed by the iptables FORWARD chain. Packets sent directly to the firewall itself or coming from the firewall itself are processed by the INPUT and OUTPUT iptables chains in a similar way.

The FORWARD chain contains two targets, BLOCKLISTIN and BLOCKLISTOUT used to check for blocklist matches:

iptables -L FORWARD
Chain FORWARD (policy DROP)
target     prot opt source               destination
BADTCP     tcp  --  anywhere             anywhere
TCPMSS     tcp  --  anywhere             anywhere             tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
CUSTOMFORWARD  all  --  anywhere             anywhere
HOSTILE    all  --  anywhere             anywhere
BLOCKLISTIN !icmp --  anywhere             anywhere
BLOCKLISTOUT !icmp --  anywhere             anywhere
GUARDIAN   all  --  anywhere             anywhere
IPSECBLOCK  all  --  anywhere             anywhere             policy match dir out pol none
WGBLOCK    all  --  anywhere             anywhere
...

Packets processed by the forward chain (that are not icmp packets) are sent first to the BLOCKLISTIN target and then to the BLOCKLISTOUT target.

Here is BLOCKLISTIN:

iptables -L BLOCKLISTIN
Chain BLOCKLISTIN (2 references)
target     prot opt source               destination
RETURN     all  --  10.0.0.0/8           anywhere
RETURN     all  --  172.16.0.0/12        anywhere
RETURN     all  --  192.168.0.0/16       anywhere
RETURN     all  --  100.64.0.0/10        anywhere
RETURN     all  --  base-address.mcast.net/4  anywhere
BLOCKLIST_DE_DROP  all  --  anywhere             anywhere             match-set BLOCKLIST_DE src
BOGON_FULL_DROP  all  --  anywhere             anywhere             match-set BOGON_FULL src
CIARMY_DROP  all  --  anywhere             anywhere             match-set CIARMY src
DSHIELD_DROP  all  --  anywhere             anywhere             match-set DSHIELD src
SPAMHAUS_DROP_DROP  all  --  anywhere             anywhere             match-set SPAMHAUS_DROP src
TOR_EXIT_DROP  all  --  anywhere             anywhere             match-set TOR_EXIT src

In the BLOCKLISTIN chain you can see the rules that do the actual matches to the ipsets. BLOCKLISTOUT chain is similar except instead of looking for a match of the source address, it looks for a match of the destination address. Note the ‘dst’ vs. ‘src’ at the end of each match-set rule:

iptables -L BLOCKLISTOUT
Chain BLOCKLISTOUT (2 references)
target     prot opt source               destination
RETURN     all  --  anywhere             10.0.0.0/8
RETURN     all  --  anywhere             172.16.0.0/12
RETURN     all  --  anywhere             192.168.0.0/16
RETURN     all  --  anywhere             100.64.0.0/10
RETURN     all  --  anywhere             base-address.mcast.net/4
BLOCKLIST_DE_DROP  all  --  anywhere             anywhere             match-set BLOCKLIST_DE dst
BOGON_FULL_DROP  all  --  anywhere             anywhere             match-set BOGON_FULL dst
CIARMY_DROP  all  --  anywhere             anywhere             match-set CIARMY dst
DSHIELD_DROP  all  --  anywhere             anywhere             match-set DSHIELD dst
SPAMHAUS_DROP_DROP  all  --  anywhere             anywhere             match-set SPAMHAUS_DROP dst
TOR_EXIT_DROP  all  --  anywhere             anywhere             match-set TOR_EXIT dst

If a packet matches one of the blocklists, it is sent to another iptables chain that handles the logging and actual drop of the packet. For DSHIELD as an example:

iptables -L DSHIELD_DROP
Chain DSHIELD_DROP (2 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 10/sec burst 5 LOG level warn prefix "BLKLST_DSHIELD "
DROP       all  --  anywhere             anywhere

This is a simple chain and all it does is log the packet with the prefix that you see in /var/log/messages and drop the packet.

Packets that are not matched in either the BLOCKLISTIN or BLOCKLISTOUT chain return to the FORWARD chain and continue to traverse that chain until they are either matched by another rule or hit the end of the chain and are dropped by the default (policy DROP).

IPFire reports counts of the packets dropped by the blocklist rules, which is what you are seeing in the IP Address Blocklist Logs. The percentages that you see are percentages for each blocklist of all the packets dropped by all blocklists so this is a way to guage the relative “effectiveness” of each blocklist with regards to the traffic that you’re seeing. A low percentage just means that you saw fewer packets that a particular blocklist applied to as compared to the other blocklists. Higher or lower percentages here are not better or worse, they’re just a view of how the blocklists apply to the traffic that your firewall is seeing.

Regards,
Stephen