Hi team,
I have trouble with IP Blocklist feature for Firewall Rules.
I created a new source that is fed from another sources.
I activated it but trafic wasn’t blocked by IPFire.
based on this configuration, the packets that are coming from 2.2.2.2 should be blocked.
Thanks in advance.
Did I say something stupid 
No one made any comment
I know nothing about this.
The only thing I can say, Is the format/ indentation in not the same as the rest of the entries. Is that OK?
Hi Shaun,
Thank you for your answer. I am new about IPFire, I thought that maybe it is a known issue.
I didn’t specify any format. There is a perl script that is called ip_blocklist_function.pl in IPFire. It is automatically converting my list to the that format. The original list is something like that:
1.1.1.1/32
2.2.2.2/32
192.168.1.0/24 etc.
Moses test block
Is indented different.
That is the only thing I saw that looked off.
After selecting your list and pressing the Save button did you then go and press the Apply changes button on the Firewall rules page?
@bonnietwin Hi Adolf,
Yes, all changes are applied. In my firewall rules, I added allowed rules for all icmp traffic. I expected that ip blocklist should run before the firewall rules, or it should be at top of the all rules.
There is no visible section to see this.
You can find the firewall rules created in the WUI menu Firewall - iptables.
Select the drop down box under the top section iptables:
You should find the chain moses_test_block_DROP.
In the sources file the first name for a source is used for the Chain name with _DROP appended to it.
The standard approach is to put this name all in Upper Case. However the chain will still be created with the first part in lower case, so that should not affect it’s operation I believe.
It just doesn’t look normal for a chain name to be mixed lower and upper case
After selecting your ipblock chain name press the Update button and you will then be shown the iptables entries for that chain, including the packets and bytes that have matched that chain.
Here is an example for the DSHIELD ipblocklist
You have used 1M for the rate value. The usually used letters are d for days, h for hours and m for minutes.
However the code converts all those entries into upper case anyway so you 1M will be taken as 1 minute.
If the intention was for 1 month then that will not work. You also cannot use 1 month by defining 4 weeks as the range is limited from 5 minutes to 1 week. Anything above 1 week is set at 1 week and anything less than 5 minutes is set to 5 minutes.
The code for downloading the file contents uses https and your url is http. However as the .conf file was created this indicates that the code also can cope with the url being http.
Hi Adolf,
Thank you for your detailed answer.
I am aware of the 1M value. I want to see the result as soon as possible. The lowest value is 1M.
I changed the blocklist name to all uppercase. The config file succesfully generated again.
I checked the IPTABLES section but there is no ipaddreses that are in that block list.
I couldn’t find the reason :/.
If the iptables entry is present but there are no packets going over that chain when you have sent those packets from one of those IP’s then the likelihood is that the packets are getting dropped by some other chain for some other reason. Maybe getting flagged by the IPS. If you have that turned on, then try disabling it.
How are you getting packets sent from 2.2.2.2, is that an IP that you have control over?
Maybe you could explain how you are carrying out your test.
The lowest value is 5 minutes. The code checks if the rate is less than 5 minutes and if it is then it sets it to 5 minutes.
I note that in the last screenshot in your first post you are showing logs from some machine that is not IPFire but has two network connections ens160 and ens256. Are these bridged together on that system or do those two interfaces deal with different subnets.
If the latter then it looks like you have another machine besides IPFire carrying out routing between subnets.
Are you sure that your testing is actually going through IPFire?
Could you provide a diagram of your network so we can better understand the layout.
