I have a question/problem according to the firewall log files. Since the update from version 2.21 to 2.23 I have entries of the INPUTFW chain in my firewall log files.
Today I updated the IPFire from core 136 to core 138 and it seems that the INPUTFW chain is getting logged even more. In version 2.21 I had no entries like this at all and I didn´t change the firewall options and the rule set it self
Is it possible, that this lead to the INPUTFW entries in the log files? The INPUTFW is just logged with port 53 and 137 - so DNS, right?
I already added both DNS Servers to the exception list in the IPS but it is not working - the DNS servers are still logged by the IPS.
If this is true it would explain why this problem first occured after the update from 2.21 (where I was using IDS) to 2.23
If this could be the explaination - how can I take care of the IPS that it is not detecting the DNS servers anymore?
To your information: I am using the “Emergenrythreat.net community” rule set
In this case DNS queries from a host on your GREEN network to a DNS server somewhere on the Internet. You seem to have a firewall rule that is supposed to block this.
This depends on the ruleset you have configured for Suricata. The vendor of that seems to consider the “cloud” TLD suspicious.
You can find that rule and disable it. But I would only do that if I have problems accessing something I want to.
Shouldn’t it be an DROP_INPUT entry in the log file in this case?
In this case DNS queries from a host on your GREEN network to a DNS server somewhere on the Internet. You seem to have a firewall rule that is supposed to block this.
What I dont understand, that I never changed something in the rule set itself - ever before the update from 2.21 to 2.23. After this update the prolbem startet
The internet connection itself has no problems. All hosts in the GREEN network can reach red without any restrictions
Hi Hellfire, thank you!
I unchecked the logging for this rule - but then I have no logfiles at all from green. But I am interested in the FORWARDFW chain of the single clients in green
The first one is in the FORWARD chain for traffic passing and the other one is going to the INPUT chain for packets being sent to the firewall. Because the firewall is part of ‘all’.
Did you maybe know if there was a change in the iptables that would explain why this occured the first time after the update from version 2.21 to 2.23?
And for the other question:
I just have the two interfaces GREEN and RED. Would it be the solution of my problem if I change:
source: GREEN - target: ALL
to
source GREEN - target RED?
Hello everyone,
I just wanted to ask, if someone has an idea to solve this problem, because its really annoying thue to the fact that the logfiles are very difficult to evaluate.
After checking of old backup files from version 2.19 and 2.21 I am pretty sure that this problem started with the upgrade to version 2.23 because the ruleset didnt change since 2.21
Good moring everyone,
I hope you’re all doing well!
I just wanted to give an update to this topic - because I still have the problem, that the INPUTFW gets logged.
I tried a change in the ruleset in the following way:
source: A single host from green target: RED allow all protocols
I activated to logging of this rule an deactivated the logging of the rule
source: GREEN target: RED allow all protocols
As expected, only the single host was logged by the firewall but not just the FORWARDFW but the INPUTFW aswell again.
I thought this could be the solution because the firewall itself is not part of the source anymore and will not log itself.
Do I have a gerneral missunderstanding here and/or does someone has another idea to solve this!?
Thanks a lot in advance!
Kind regards,
Andreas
Edited: Is it possible to have a additional logging rule after the “main rule” target GREEN (or the single client) target: RED?
If yes - how this should look like?