Hi,
I see in the wiki page wiki.ipfire.org - Intrusion Prevention System (IPS) that the location block is in front of IPS.
I’m on Core Update 157 and from IPS logs I see external IP from countries that are blocked, in firewall log they are not present.
Location block is before or after IPS?
Thanks
Hi,
first, welcome back. 
Second: This might be the case if an IPS rule triggers on an incoming packet that is part of a connection a client behind IPFire has established. (The location block does not work for outgoing connections on purpose.)
To confirm this, could you post the relevant IPS log lines here? Feel free to redact public IP addresses.
Thanks, and best regards,
Peter Müller
Hi,
thanks for the reply
location block is setup for blocking all countries except Italy and it’s working ok.
Here some lines from the webgui logs from 2 ipfire installation that seems not an outgoing connection (the second is a backup with no traffic)
Date: 07/07 19:54:19 Name: INDICATOR-SCAN UPnP service discover attempt
Priority: 3 Type: Detection of a Network Scan
IP info: 36.27.214.242:41730 → first_wan:1900
References: none found SID: 1917
This source IP is from China
Date: 07/07 19:01:21 Name: PROTOCOL-DNS named version attempt
Priority: 2 Type: Attempted Information Leak
IP info: 37.49.229.228:57795 → first_wan:53
References: none found SID: 1616
This source IP is from NL
Date: 07/07 17:52:55 Name: INDICATOR-SCAN myscan
Priority: 2 Type: Attempted Information Leak
IP info: 5.188.158.146:10101 → first_wan:3390
References: none found SID: 613
This source IP is from Russia
Date: 07/07 16:47:50 Name: INDICATOR-SCAN UPnP service discover attempt
Priority: 3 Type: Detection of a Network Scan
IP info: 184.105.139.77:53252 → first_wan:1900
References: none found SID: 1917
This source IP is scan-03b.shadowserver.org
Date: 07/07 23:05:26 Name: INDICATOR-SCAN UPnP service discover attempt
Priority: 3 Type: Detection of a Network Scan
IP info: 52.73.169.169:57235 → second_wan:1900
References: none found SID: 1917
This source IP is scanner2.scanning.cybergreen.net
Date: 07/07 17:36:28 Name: MALWARE-CNC Win.Trojan.ZeroAccess inbound connection
Priority: 1 Type: A Network Trojan was detected
IP info: 66.240.205.34:1066 → second_wan:16464
References: none found SID: 31136
This source IP is malware-hunter.census.shodan.io
Giuseppe
Hi,
sorry for replying late.
Indeed, you are right. Looking at the iptables chain order, the location block is processed way after the IPS_INPUT chain:
This explains why you are observing incoming IPS hits from countries you blocked in the location block. Not a security issue, tough, as the packets are dropped sooner or later, but this differs from our current documentation. 
Thanks for spotting this, and best regards,
Peter Müller
Hi Peter,
thanks for the clarification.
Giuseppe
