Internal-to-external traffic filtering with Ipfire's IP address blocklist service

Hello everyone,

I have 3 Ipfire on 3 sites. Wifi APs are connected to the Ipfire on 2 of the sites where we receive students who come to take classes with us.
These students work on their own laptops, so we have no way of knowing whether they or we have antivirus software, or worse…whether their machines are infected.

Recently, we had a problem with our provider Swisscom who blocked (without warning) our Internet access because supposedly a machine on our network had made connections to a blacklisted IP address.
The problem was that, despite the Suricata service filtering and the IP address blocklist service active on our Ipfire firewall, it didn’t detect anything abnormal on our network !

As far as the IP address blocklist is concerned, this is normal, since it seems to me that only incoming traffic is blocked, not outgoing traffic (correct me if I’m wrong).

How can I use Ipfire to detect a machine connecting from my network to a malicious IP ?

Would it be possible to integrate (if it isn’t already the case) a monitoring of internal to external traffic based on Ipfire’s IP blocklist and block traffic from a machine trying to connect to a malicious IP ?

Thanks

I’m answering my own question… in fact, if you check the IPSET rules in IPTABLES, you’ll see that filtering is done both on the input and output sides. If we take the ALIENVAULT rule as an example, we see the following:

# iptables -L | grep ALIENVAULT
Chain ALIENVAULT_DROP (2 references)
LOG all -- anywhere anywhere limit: avg 10/sec burst 5 LOG level warn prefix "BLKLST_ALIENVAULT "
ALIENVAULT_DROP all -- anywhere anywhere match-set ALIENVAULT src
ALIENVAULT_DROP all -- anywhere anywhere match-set ALIENVAULT dst
#

The “dst” rule is the same as the “src” rule.
In my case, the addresses that caused me problems because they were detected as Bot Adload (targeting Apple devices) were these:

178.162.203.202
5.79.71.225
178.162.203.211
5.79.71.205

Unfortunately, these addresses are not listed in the various blocklists available on Ipfire. I found them blacklisted on this site: https://www.abuseipdb.com I must therefore integrate other blocklists (including my personal blocklist) into Ipfire.
To solve the problem, I’ve created a script that will check various third-party blacklists (including my own blacklist), remove duplicate IPs or networks and integrate the necessary IPSET rules into Ipfire.
I’m in the process of finalizing this script. As soon as it’s up and running, I’ll share it with you if it can help anyone.

Befor you go through all that work.
You should do search for “Banish”.
Unofficial addon.

Hi @hvacguy ,

Thanks for your reply…I saw Banish here: GitHub - Grantura/Banish-IPFire but it hasn’t been maintained for 6 years ! so…I don’t dare use it :frowning:
So I developed my own script that I published on Github if anyone is interested in improving it with me.
You can find it here if anyone’s interested :slight_smile:

Is that the old version?

Perhaps @helix can shed some light on it.

https://people.ipfire.org/~helix/banish/

1 Like

The version on GitHub is my original iptables version and has been superseded by the ipset version and integrated with ipblocklist.

https://people.ipfire.org/~helix/banish/Banish-002.tar.gz

This version probably needs an updated sources list to reflect the recently added latest changes regarding the SPAMHAUS_DROP rule.

Rob

1 Like

I have added a banish updated sources file for use with the the changed source list in CU186.
https://people.ipfire.org/~helix/banish/sources-cu186

To install change to /tmp
cd /tmp

download sources-cu186 to /tmp
wget https://people.ipfire.org/~helix/banish/sources-cu186

backup original source file:
cp /var/ipfire/ipblocklist/sources /var/ipfire/ipblocklist/sources.orig

and copy modified source file to /var/ipfire/ipblocklist
cp /tmp/sources-cu186 /var/ipfire/ipblocklist/sources
cp: overwrite ‘/var/ipfire/ipblocklist/sources’? yes

Rob

1 Like

@helix Hi Rob, thank you for this, just one question please, does the system have to be rebooted after updating with your script?

Shouldn’t need to. Just reload the IP Address Blocklists page and you will see the BANISH menu which you should enable and ‘save’. You then need reload the firewall ruleset in the firewall menu to activate the BANISH rules.

Add your Banish entries to the IPFire/Banish menu which should then be automatically updated every 15 minutes…

Rob

@helix Thank you, Rob, much appreciated.