IPS vs Location Block vs Guardian vs firewall

I am a newbie and still trying to figure out how things work.

Which service gets the first picks to block unwanted traffic?

-Location Block

For example I am trying to figure out some issues with a few devices, and keep looking in logs,

IPS log shows something interesting
I see an alert
ET CINS Active Threat Intelligence Poor Reputation IP group 18
** Priority: 2 Type: Misc Attack**

source is from CHINA and destination is my RED IP port 22.

Guardian protects the SSH port so
I assume Logs-System Logs-Guardian would pick it up, but the log is empty. Pretty much 0 events since I installed it. Only event is starting Guardian

Logs-Firewall logs, just shows a bunch of DROP_NEWNOTSYN from LAN IP’s
but nothing from China.

So IPS is doing all the work? I wonder if I stop IPS service, will Guardian Log get busy, or firewall Log?


this depends on the type of unwanted traffic you observe. :slight_smile:

Guardian detects brute-force login attempts against IPFire’s SSH server and web interface. Since they should not be accessible from the internet - unless you configured them to be, which I strongly recommend against -, you will only see internal IP addresses attacking you firewall here.

(It is a good thing to monitor the list of IP addresses blocked by Guardian, since these could be compromised internal devices or internal attackers.)

The Location block does not really do anything in terms of security - it’s sole purpose is to reduce noise in the logs, which might be interesting if you are running on poor flash storage (such as cheap SD cards) and do not want to log every single firewall hit from certain countries. To have it mentioned, the Location block only works on incoming connections.

This leaves you with a combination of the firewall and the IPS to filter out bad traffic from and to your system. You will observe most hits there, while the IPS might detect some attacks that slipped through the firewall since the latter works on OSI layer 3 and 4 only.

Both IPS and firewall complement each other, but cannot replace each other.

This is completely harmless and common if your IPFire’s RED interface is exposed directly to the internet and has a public IPv4 address. You might observe thousands of these hits per day - this is a summary of all IPS hits on my testing machine (running behind a DSL connection in Europe) yesterday:

[root@maverick ~]# grep "12/23/2020-" /var/log/suricata/fast.log | cut -d\  -f6-  | cut -d\[ -f 1 | sed -e 's/group.*$/group XX/g' | sort | uniq -c | sort -n
      1 ET DOS Possible SSDP Amplification Scan in Progress 
      2 GPL RPC xdmcp info query 
      3 ET SCAN Suspicious inbound to Oracle SQL port 1521 
      4 GPL DNS named version attempt 
      4 GPL RPC portmap listing UDP 111 
     12 ET SCAN Suspicious inbound to mySQL port 3306 
     16 ET SCAN Sipvicious User-Agent Detected (friendly-scanner) 
     16 GPL SNMP public access udp 
     17 ET SCAN Suspicious inbound to PostgreSQL port 5432 
     19 ET SCAN Sipvicious Scan 
     25 ET SCAN NMAP -sA (2) 
     41 ET SCAN NMAP -sA (1) 
    104 ET SCAN Suspicious inbound to MSSQL port 1433 
    141 ET DROP Spamhaus DROP Listed Traffic Inbound group XX
    746 ET DROP Dshield Block Listed Source group XX
   1174 ET SCAN NMAP -sS window 1024 
   1199 ET CINS Active Threat Intelligence Poor Reputation IP group XX

Since your SSH server is not exposed to the internet, there was no successful TCP connection to it, so no login attempt could be made, and Guardian could not have observed anything. You are safe. :slight_smile:

This sounds like you enabled the Location filter for all countries, so no logs will be written. (Did I mention I do not like the Location filter because it causes more confusion than it solves problems?)

Certainly not.

In case the Location block is enabled, none of them. In the background, the firewall is always busy, but it does not log it. Try disabling the Location block once and have a look at the firewall logs…

Thanks, and best regards,
Peter Müller

P.S.: In case you worry about those IPS hits, please have a look at this thread. :slight_smile:


Thanks Peter, I appreciate your exhaustive answer,