INPUTFW in the firewall logs

Dear all,

I have a question/problem according to the firewall log files. Since the update from version 2.21 to 2.23 I have entries of the INPUTFW chain in my firewall log files.

from the log files…

In general: Is this supposed to be like this?

Today I updated the IPFire from core 136 to core 138 and it seems that the INPUTFW chain is getting logged even more. In version 2.21 I had no entries like this at all and I didn´t change the firewall options and the rule set it self

Thank in advance,
kind regards

Hello everyone - its me again

I just noticed, that my DNS servers ( and cause a protocol entry in the IPS.

Is it possible, that this lead to the INPUTFW entries in the log files? The INPUTFW is just logged with port 53 and 137 - so DNS, right?

I already added both DNS Servers to the exception list in the IPS but it is not working - the DNS servers are still logged by the IPS.
If this is true it would explain why this problem first occured after the update from 2.21 (where I was using IDS) to 2.23

If this could be the explaination - how can I take care of the IPS that it is not detecting the DNS servers anymore?

To your information: I am using the “ community” rule set

Thanks in advance!
Kind regards

Yes. This is the firewall blocking packets.

In this case DNS queries from a host on your GREEN network to a DNS server somewhere on the Internet. You seem to have a firewall rule that is supposed to block this.

This depends on the ruleset you have configured for Suricata. The vendor of that seems to consider the “cloud” TLD suspicious.

You can find that rule and disable it. But I would only do that if I have problems accessing something I want to.

Hello Michael, thanks for your reply!

Yes. This is the firewall blocking packets.

Shouldn’t it be an DROP_INPUT entry in the log file in this case?

In this case DNS queries from a host on your GREEN network to a DNS server somewhere on the Internet. You seem to have a firewall rule that is supposed to block this.

What I dont understand, that I never changed something in the rule set itself - ever before the update from 2.21 to 2.23. After this update the prolbem startet
The internet connection itself has no problems. All hosts in the GREEN network can reach red without any restrictions

DROP_INPUT would be the default rule. INPUTFW is a custom rule.

Hello Michael,
thanks again for your reply

DROP_INPUT would be the default rule. INPUTFW is a custom rule.

Okay thank you. I “inherited” the rule set from my predecessor. The only firewall rule that has actived logging is:

The standard behavior of the firewall is: FORWARD is blocked - OUTGOING is allowed.

The rules 1-10 are serveral rules to block serval hosts and IPs

Could this rule be the reason for the logging of the INPUTFW chain?

Guess you can try this yourself! I see an active checkbox after “Grün” in the hardcopy above, this is the option for logging those rules.

If you disable this option and click “Apply” on top of the screen, I bet most of those undesired logs disappear.


Hi Hellfire, thank you!
I unchecked the logging for this rule - but then I have no logfiles at all from green. But I am interested in the FORWARDFW chain of the single clients in green

That rule actually generates two iptables rules.

The first one is in the FORWARD chain for traffic passing and the other one is going to the INPUT chain for packets being sent to the firewall. Because the firewall is part of ‘all’.

That is why you see two different tag lines.

Is it that what felt confusing?

Hi Michael,

Okay. This makes sense to me.

Now I have two new questions :wink:

Did you maybe know if there was a change in the iptables that would explain why this occured the first time after the update from version 2.21 to 2.23?

And for the other question:
I just have the two interfaces GREEN and RED. Would it be the solution of my problem if I change:

source: GREEN - target: ALL
source GREEN - target RED?

Thanks in advance!
Kind regards

No. It should always have been like this.

You won’t have the INPUT logs any more and since you are running open default policies that should not change anything else.

Hello Michael,
thanks a lot for your reply. I will test this change in the rule soon. Ill that you know then.

Thanks again,
Kind regards

Hello Michael,
first of all - Happy new year (also for the whole community :slight_smile:)

I changed the firewall rule as written, but I still get logs from the INPUTFW chain from all clients…

Is this rule correct or do I have to set “RED” for target firewall instead of “standard-network”

Thanks a lot in advance!

Kind regards,

Hello everyone,
I just wanted to ask, if someone has an idea to solve this problem, because its really annoying thue to the fact that the logfiles are very difficult to evaluate.

After checking of old backup files from version 2.19 and 2.21 I am pretty sure that this problem started with the upgrade to version 2.23 because the ruleset didnt change since 2.21

Thanks in advance!

Kind regards

Good moring everyone,
I hope you’re all doing well!

I just wanted to give an update to this topic - because I still have the problem, that the INPUTFW gets logged.

I tried a change in the ruleset in the following way:

source: A single host from green target: RED allow all protocols

I activated to logging of this rule an deactivated the logging of the rule

source: GREEN target: RED allow all protocols

As expected, only the single host was logged by the firewall but not just the FORWARDFW but the INPUTFW aswell again.
I thought this could be the solution because the firewall itself is not part of the source anymore and will not log itself.

Do I have a gerneral missunderstanding here and/or does someone has another idea to solve this!?

Thanks a lot in advance!
Kind regards,

Edited: Is it possible to have a additional logging rule after the “main rule” target GREEN (or the single client) target: RED?
If yes - how this should look like?