Excessive Logging

Is there a way to suppress excessive logging of incoming packets on the RED interface?

I want to suppress incoming DROP_HOSTILE, BLKLST_CIARMY etc…

Outgoing DROP_HOSTILE are useful on the other hand.

I am concerned that it is causing too much wear on the storage. Once the storage fails, firewall will be disabled.

I see 10-20k incoming packets that are dropped by the Firewall, and there is no way for me to analyze 10-20k entries per day.

My Firewall Rules are simple, block all incoming,
Location block is blocking all incoming

I started using IP Blocklist.but that just increased the logging. IPS log went down

99.99% is just DROP_HOSTILE or CIARMY

FWlLogbefore340×907 65.7 KB

FWlogAfter342×886 67.1 KB

Firewall options:

FW options848×325 63 KB

for BLKLST_CIARMY uncheck the Log dropped packets

Screenshot 2022-11-01 at 10.13.12 PM796×546 41 KB

on this WebGUI page:
https://ipfire.localdomain:444/cgi-bin/ipblocklist.cgi

for the DROP_HOSTILE there is not a way to disable but it is a good idea!

This surely suppressed BLKLST_CIARMY entries.

I am wondering if there is a practical difference between using:

• IP Blocklist to block SPAMHAUS_DROP
  and

• Firewall Options: Firewall options for RED interface
  Drop packets from and to hostile networks (listed at [Spamhaus DROP] etc.)

• Location Block : XD Hostile networks safe to drop

Yes.

Location Block XD is only incoming but spamhaus and others.

IP Blocklist is only incoming with only spamhaus.

Drop packets to and from hostile networks is incoming and outgoing with Spamhaus and others.

See the wiki page

https://wiki.ipfire.org/configuration/firewall/options#drop-packets-from-and-to-hostile-networks

and this post from @pmueller

https://community.ipfire.org/t/drop-hostile-is-inaccurate/8699/3

There is of course overlap on these three options. Probably if you are using drop hostile you don’t need IP Blocklist spamhaus or Location Block XD but that is my surmise, not checked or confirmed by looking at the lists used, although drop hosile and location block use the same list (XD).

If you turn off the logging of Dropped Input Packets then that should remove the drop hostile. You have to decide if logging input packets that are dropped anyway buys you anything useful from the info point of view, especially if you have that many attempts with drop hostile alone.

For me turning off Logging Dropped input packets (FW Options) DOESN’T remove drop hostile. As you can see above in my screenshots. It is weird but it doesn’t stop logging incoming packets.
If you think it supposed to I will open a bug report.

• So IP blocklist SPAMHOUSE DROP is incoming only?
• Location block is incoming only.as well.
• At least IPS will be blocking outgoing.packets

Sorry, I missed that you already had logging for dropped input turned off.

I don’t know if the code was written with the intention of also turning of the drop hostile incoming. As that option was added later it might be separate from the other coding.

As quite a few people seem to be inundated with drop hostile messages it seems reasonable to add an option for dropping logging of drop hostile for incoming.

I would raise a bug on it but maybe put “improvement suggestion” into the title.

Yes, both of those are incoming only.

It will as long as the involved signature is a drop signature. Not all are. Some are just to provide info of suspicious traffic that might or might not be something to drop.

The IP Address Blocklist feature does drop outgoing.packets.

Thanks @cbrown for that clarification. I was not aware of that. I based my comment on my belief without checking the code

I see there is a 10/sec limit on logging of HOSTILE_DROP as well as CIARMY_DROP tables. Could I modify the limit for example 10/hour limit

**Chain HOSTILE_DROP** (0 references)
target 	prot 	opt 	in 	out 	source 	destination 	
										
LOG 	all 	         -- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "DROP_HOSTILE "
DROP 	all 	         -- 	* 	* 	0.0.0.0/0 	0.0.0.0/0 	/* DROP_HOSTILE */