I run a nextcloud behind my ipfire and have ports 443/80 redirected to it. De location filter I can not use so because otherwise Lets Encrypt can not update the certificate and thus I have location groups in use. By default only IP addresses from Germany are allowed to access the port 443/80.
But in the logs I see the following entries and just the one IP from Switzerland is massively present.
.
My question:
Do the entries mean that the requests for e.g. the IP from Switzerland are rejected or do they go through to Nextcloud which should not be the case?
How can I manually block one or more external IP addresses on iPFire so that they are not allowed to connect?
Do you think I should change the order of the two rules?
As I said, the one rule allows access for all IP addresses on Friday night because the Lets Encrypt servers can be anywhere. The other rule which should be mainly active should only allow access from DE.
The location groups are also set up accordingly.
The logs show all firewall rules hit with the log attribute set.
Whether this means a deny or allow depends.
We can discuss an extension of the firewall software in IPFIre. It may be possible to append the behaviour of the rule to the label. For example FORWARDFW → FORWARDFW_ALLOW.
Does that mean that my rules work but I currently can’t see if the access is blocked/dropped?
Is the order of my rules now correct because with the first rule I allow only for a short time all accesses worldwide (Lets Encrypt). The second rule should block all regions except Germany the main time.
Update:
If I temporarily include DE in the location group that is to be blocked, then I can no longer access it from outside, so my rules seem to work.
Zitat:
“We can discuss an extension of the firewall software in IPFIre. It may be possible to append the behaviour of the rule to the label. For example FORWARDFW → FORWARDFW_ALLOW”
Another label for rejected requests and legitimate redirects I personally would find very beneficial especially for such people like me
Are there any ideas how to block IP addresses on ipfire, i.e. to external and from external to internal? There is now the “IP address blocklist” but they are currently only fed from external sources. I would find it advantageous if something like this can also be fed by the admin himself.
I have a similar problem. There is no other meaningful way to implement it, apart from renewing the certificate manually every 2.X months and deactivating the country filter for this moment and then reactivating it. Better than generally deactivating the country filter.
