Hi,
this depends on the type of unwanted traffic you observe.
Guardian detects brute-force login attempts against IPFire’s SSH server and web interface. Since they should not be accessible from the internet - unless you configured them to be, which I strongly recommend against -, you will only see internal IP addresses attacking you firewall here.
(It is a good thing to monitor the list of IP addresses blocked by Guardian, since these could be compromised internal devices or internal attackers.)
The Location block does not really do anything in terms of security - it’s sole purpose is to reduce noise in the logs, which might be interesting if you are running on poor flash storage (such as cheap SD cards) and do not want to log every single firewall hit from certain countries. To have it mentioned, the Location block only works on incoming connections.
This leaves you with a combination of the firewall and the IPS to filter out bad traffic from and to your system. You will observe most hits there, while the IPS might detect some attacks that slipped through the firewall since the latter works on OSI layer 3 and 4 only.
Both IPS and firewall complement each other, but cannot replace each other.
This is completely harmless and common if your IPFire’s RED interface is exposed directly to the internet and has a public IPv4 address. You might observe thousands of these hits per day - this is a summary of all IPS hits on my testing machine (running behind a DSL connection in Europe) yesterday:
[root@maverick ~]# grep "12/23/2020-" /var/log/suricata/fast.log | cut -d\ -f6- | cut -d\[ -f 1 | sed -e 's/group.*$/group XX/g' | sort | uniq -c | sort -n
1 ET DOS Possible SSDP Amplification Scan in Progress
2 GPL RPC xdmcp info query
3 ET SCAN Suspicious inbound to Oracle SQL port 1521
4 GPL DNS named version attempt
4 GPL RPC portmap listing UDP 111
12 ET SCAN Suspicious inbound to mySQL port 3306
16 ET SCAN Sipvicious User-Agent Detected (friendly-scanner)
16 GPL SNMP public access udp
17 ET SCAN Suspicious inbound to PostgreSQL port 5432
19 ET SCAN Sipvicious Scan
25 ET SCAN NMAP -sA (2)
41 ET SCAN NMAP -sA (1)
104 ET SCAN Suspicious inbound to MSSQL port 1433
141 ET DROP Spamhaus DROP Listed Traffic Inbound group XX
746 ET DROP Dshield Block Listed Source group XX
1174 ET SCAN NMAP -sS window 1024
1199 ET CINS Active Threat Intelligence Poor Reputation IP group XX
Since your SSH server is not exposed to the internet, there was no successful TCP connection to it, so no login attempt could be made, and Guardian could not have observed anything. You are safe.
This sounds like you enabled the Location filter for all countries, so no logs will be written. (Did I mention I do not like the Location filter because it causes more confusion than it solves problems?)
Certainly not.
In case the Location block is enabled, none of them. In the background, the firewall is always busy, but it does not log it. Try disabling the Location block once and have a look at the firewall logs…
Thanks, and best regards,
Peter Müller
P.S.: In case you worry about those IPS hits, please have a look at this thread.