Firewall Rules Location Filter - Log entries explanation

Hello together

I may have a comprehension problem with the logs.

I run a nextcloud behind my ipfire and have ports 443/80 redirected to it. De location filter I can not use so because otherwise Lets Encrypt can not update the certificate and thus I have location groups in use. By default only IP addresses from Germany are allowed to access the port 443/80.

But in the logs I see the following entries and just the one IP from Switzerland is massively present.

My question:
Do the entries mean that the requests for e.g. the IP from Switzerland are rejected or do they go through to Nextcloud which should not be the case?

How can I manually block one or more external IP addresses on iPFire so that they are not allowed to connect?

My rules:


Try reversing rule 1 and 2

Do you think I should change the order of the two rules?
As I said, the one rule allows access for all IP addresses on Friday night because the Lets Encrypt servers can be anywhere. The other rule which should be mainly active should only allow access from DE.
The location groups are also set up accordingly.

The logs show all firewall rules hit with the log attribute set.
Whether this means a deny or allow depends.

We can discuss an extension of the firewall software in IPFIre. It may be possible to append the behaviour of the rule to the label. For example FORWARDFW → FORWARDFW_ALLOW.

1 Like

They are all from the same mac address.

yes that with the MAC address I have also noticed and that the MAC address is also recorded once with another IP from China

Time to put that one on the block list. Lol.

The MAC address belongs to my Fritzbox and is the gateway

Client → ipfire → FritzBox → Internet

Hello Bernhard,

Does that mean that my rules work but I currently can’t see if the access is blocked/dropped?
Is the order of my rules now correct because with the first rule I allow only for a short time all accesses worldwide (Lets Encrypt). The second rule should block all regions except Germany the main time.

If I temporarily include DE in the location group that is to be blocked, then I can no longer access it from outside, so my rules seem to work.

“We can discuss an extension of the firewall software in IPFIre. It may be possible to append the behaviour of the rule to the label. For example FORWARDFW → FORWARDFW_ALLOW”

Another label for rejected requests and legitimate redirects I personally would find very beneficial especially for such people like me :smile:

Are there any ideas how to block IP addresses on ipfire, i.e. to external and from external to internal? There is now the “IP address blocklist” but they are currently only fed from external sources. I would find it advantageous if something like this can also be fed by the admin himself.

I have a similar problem. There is no other meaningful way to implement it, apart from renewing the certificate manually every 2.X months and deactivating the country filter for this moment and then reactivating it. Better than generally deactivating the country filter.