Hi,
Now 2.25 cu 164 onwards has option to drop hostile networks in Firewall > Firewall Options, is it redundant to have Country Code XD in Firewall > Location Block?
(Maybe they are independently maintained data sources in firewall?).
Hi,
yes.
The XD country code is still used in the background for the “drop hostile” feature, but since it takes precedence before the location block, there is no need to have XD ticked in the location block as well.
Thanks, and best regards,
Peter Müller
Other question: If enabling the option for hostile networks in firewall options, I see many new firewall logs appearing.
Will I get rid of those logs when disabling the firewall option again and use the location block for country XD instead? Are those settings absolute identical at the end?
Hi,
not really, as the location block only works on incoming connections, not outgoing ones. You will need to create a firewall rule dropping any traffic to country code XD in addition, so outgoing traffic to such destinations will be blocked as well.
Thanks, and best regards,
Peter Müller
4 Likes
Hi @pmueller
On a related note, how and when is the XD / Hostile hosts/networks data updated on ipfire boxes?
-Charles
Aha, I got it …
/var/lib/location/XDv4.ipset
along with the location database items
1 Like
Hi,
yes, this information is shipped with the location database. You can also get the raw list via:
location list-networks-by-flags --drop
Thanks, and best regards,
Peter Müller
3 Likes
OK, so XD country code is for incoming and further, my understanding now is, that enabling the new firewall option for hostile networks, is used for outgoing traffic, correct?
So no need for a dedicated and manually set up firewall rule?
Edit: Just noticed, the firewall option reads:
Drop packets from and to hostile networks
Doesn’t that mean when enabled this block incoming and outgoing traffic to hostile hosts?
Actually its /var/lib/location/ipset/XDv4.ipset 
1 Like