Geo blocking & IPS

I’m curious…

Just say I block incoming traffic from all locations / countries (I’m on core 148 and therefore using new libloc) - does it therefore become pointless to also have Intrusion Prevention features enabled?

Regards,

Hi,

no, since an IPS provides more insight in network connections than a packet filter
can do. For example: Outgoing connections might be initiated by malware for C&C communication,
port scanning, or sending spam.

When it comes to web-based traffic, you might want to know about anomalies such as TLS
traffic anomalies, browser exploits, and various other malicious activities.

An IPS extends the functionality of IPFire. It cannot replace a good firewall ruleset,
and vice versa.

Thanks, and best regards,
Peter Müller

1 Like

@pmueller

Had totally overlooked other traffic such as outbound connections and stateful responses to web browsing.

Thanks for taking time to respond and fill in some missing blanks for me.

R

Hi,

I am correct in saying that the IPS is in front of the GEO rules anyhow.

ie

Internet–IPS—GEO-RULES–FW RULES–green/dmz etc…

Reason I ask is that I am seeing IPS hits even though those countries are blocked.

The wiki states:-

Blockquote
Packets are being passed through the IPS before they are being sent to the firewall engine. However, the Location Block is working in front of the IPS. If a packet is considered malicious it will be dropped by the IPS.

This tends to suggest that GEO comes before IPS.
ie

Internet–GEO-RULES—IPS—FW RULES–green/dmz etc…

If its the former the wiki is incorrect and if the latter why would I be seeing ip’s that location say are not to be passed.
I have the logs to show this.

Does the IPS block regardless of any other rules, ie override all other rules?

If it is incorrect shall I change the wiki?

Thanks
BR
Joe.

1 Like

This might help. See the firewall chain diagram at the bottom of the page.

1 Like