I have 3 Ipfire on 3 sites. Wifi APs are connected to the Ipfire on 2 of the sites where we receive students who come to take classes with us.
These students work on their own laptops, so we have no way of knowing whether they or we have antivirus software, or worse…whether their machines are infected.
Recently, we had a problem with our provider Swisscom who blocked (without warning) our Internet access because supposedly a machine on our network had made connections to a blacklisted IP address.
The problem was that, despite the Suricata service filtering and the IP address blocklist service active on our Ipfire firewall, it didn’t detect anything abnormal on our network !
As far as the IP address blocklist is concerned, this is normal, since it seems to me that only incoming traffic is blocked, not outgoing traffic (correct me if I’m wrong).
How can I use Ipfire to detect a machine connecting from my network to a malicious IP ?
Would it be possible to integrate (if it isn’t already the case) a monitoring of internal to external traffic based on Ipfire’s IP blocklist and block traffic from a machine trying to connect to a malicious IP ?
I’m answering my own question… in fact, if you check the IPSET rules in IPTABLES, you’ll see that filtering is done both on the input and output sides. If we take the ALIENVAULT rule as an example, we see the following:
The “dst” rule is the same as the “src” rule.
In my case, the addresses that caused me problems because they were detected as Bot Adload (targeting Apple devices) were these:
Unfortunately, these addresses are not listed in the various blocklists available on Ipfire. I found them blacklisted on this site: https://www.abuseipdb.com I must therefore integrate other blocklists (including my personal blocklist) into Ipfire.
To solve the problem, I’ve created a script that will check various third-party blacklists (including my own blacklist), remove duplicate IPs or networks and integrate the necessary IPSET rules into Ipfire.
I’m in the process of finalizing this script. As soon as it’s up and running, I’ll share it with you if it can help anyone.
Thanks for your reply…I saw Banish here: GitHub - Grantura/Banish-IPFire but it hasn’t been maintained for 6 years ! so…I don’t dare use it
So I developed my own script that I published on Github if anyone is interested in improving it with me.
You can find it here if anyone’s interested
Shouldn’t need to. Just reload the IP Address Blocklists page and you will see the BANISH menu which you should enable and ‘save’. You then need reload the firewall ruleset in the firewall menu to activate the BANISH rules.
Add your Banish entries to the IPFire/Banish menu which should then be automatically updated every 15 minutes…