Less noise in the firewall logs

Security
1

I really like the fantastic DROP Hostile feature. Unfortunately, it causes way too much noise in my firewall log…

Originally I thought this might be very simple but I can understand that it might be an unusual request.

My scenario is simple,

  1. drop or block all INCOMING packets
    -INCOMING from any country or any network, protocol, HOSTILE, friendly etc,…

  2. block or drop bad OUTGOING traffic
    -DROP hostile incoming or OUTGOING packets
    -forward DNS and NTP requests to firewall.

  3. keep the logs noise free so I can notice the really important entries.
    I want to block everything possible but I don’t need to get notified 600 times per minute,

I am using

  1. IPS / ET Community rules - ENABLED on RED and GREEN
  2. Firewall Options - Drop packets from and to hostile networks (listed at [Spamhaus DROP] is OFF (because it is too noisy with 10+ identical entries per every second)
  3. Location block is ENABLED + CHECKED Incoming traffic from this country will be blocked
  4. Location block is CHECKED at XD Hostile networks safe to drop
  5. IP Address Blocklists - ENABLED and subscribed to SPAMHAUS and most other blocklists
  6. Firewall rules - NTP and DNS from IPfire Wiki

I documented the “noisy firewall log” a little while ago

2

You raised a bug on the topic of being able to stop logging the drop hostile reports.

https://bugzilla.ipfire.org/show_bug.cgi?id=12981

The problem to getting round to it is purely the time availability. I had several other bugs on my list to work on and it took some time to be able to get round to it.

As you were the originator of that bug you should have got email notifications about the first patch submission made in Dec 2023 and the v2 version submitted 5 days ago based on a discussion in the Jan 2024 IPFire video call.

This patch should be able to get merged into CU183 or at the latest CU184.

2 Likes
3

Thank for replying,

Now I see that a whole new firewall option had to be created?

I thought there might be just an iptables switch or maybe a combination of Location block - I noticed there is a country called XD -Hostile networks safe to drop

If I understand correctly all the country blocks basically supposed to “filter out” all the entries from incoming firewall log.s.

4

Sorry if this is a slight tangent. And I am not sure if you are watching the Terminal via /var/log/messages or using the WebGUI menu Logs to view.

From the post a year ago I think it is the WebGUI Logs.

In the menu Logs > Log Settings there is a detail switch. I wonder if this is not working as intended.

Screen Shot 2024-01-17 at 3.53.31 PM
Screen Shot 2024-01-17 at 3.53.31 PM2000×872 91.6 KB

Shouldn’t a Low Detail Level ignore INFO level items?

And hopefully display urgent items like ERROR and/or WARN messages ?

1 Like
5

Yes, I have the logs set at default low..

I will put it at medium and see if there is any difference

6

Since there might be someone like me who drops all incoming packets
and it only makes sense to log Outgoing traffic,
I was thinking about making a Firewall rule like this:

Outgoing Firewall rule to log and drop Hostile traffic., would this work or make any sense?

image
image976×1060 30.6 KB

7

I am not very familiar with the iptables rules sequences in IPFire but looking in the code if the DROP_HOSTILE option in the Firewall Options page is not selected then no action is taken on any packets from hostile networks.

Then you could create your rule for outgoing traffic and it would only drop and log the outgoing traffic.

Your incoming hostile traffic would be dropped anyway because you have no port forwards to open anything up from outside.

So I believe the rule should work if the drop hostile option is disabled in the firewall options WUI page. However it would be good for input from other people on my interpretation.

Your question is basically asking to have all hostile dropped, both incoming and outgoing but only log the outgoing which in situations as yours makes sense.

I have had a quick look at the code and I believe with some additional changes I can change the patch submission to allow to have two Log DROP_HOSTILE options, one for incoming and one for outgoing traffic so that it is not a all or nothing situation.

I will have a look at doing the changes and submit a v3 version of my patch.

3 Likes
8

Thank you for explaining the background information, and going out of your way to look at my unusual request :slight_smile:

Where would I look for the code to see how all the security layers interact?

I assume these are the most important layers: IP Blocklist vs Firewall vs Location Block vs Suricata

9

One of the places would be the rules.pl file

https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/rules.pl;h=7edb910e2d6e649396c38071380f796112d9e013;hb=refs/heads/next

Line 675 for locationblock subroutine
Line 712 for drop_hostile_networks subroutine
Line 733 for ipblocklist subroutine.

I am not sure where the suricata (IPS) traffic is fed through the firewall engine.

2 Likes
10

After a month of checking the logs, I can confirm that the “Low” Detail level doesn’t lower the noise in the Firewall logs, maybe it works for the Log Summary only.

@bonnietwin Is there a way to create custom “Locations” or “Countries”. Just like there is an “XD” location in the Location block , based on the Spamhaus DROP IP
Blocklist.

If I could create a locaton based on a blocklist , I could just create a firewall rule. that would block outgoing packets going to this “location” and on the bottom of the rule there is an option to Log the rule or not to Log Rule.

For example BOGON is an important list to block but the log gets too crowded with all the BOGON entries.

1 Like
11

If this is still to do with the Drop Hostile logging you already raised a bug on that

and I have been working on that and doing updates to the bug report and the fix is now in Core Update 184 Testing.

I split the Drop Hostile logging into incoming and outgoing so you can choose not to log drop hostile incoming but to still log drop hostile outgoing.

The graph data for the firewall hits was also split into in and out while keeping a line for total to deal with the history.

If this is no longer related to the drop hostile logging then it would make more sense to create a new thread on the subject.

There is already an option to log or not log the bogons.

Log dropped spoofed packets and marsians

Martians and Spoofed packets are BOGONS.

I will be doing a patch to fix the spelling error of marsians

4 Likes
12

I have to agree with you @bonnietwin .

I will make another thread on the subject.

I realized that the Location, Drop list and IP Blocklist might be available. through Firewall Rules WUI

13

Does this only ignore logs for the BOGON blocklist (not the FULL BOGON)

I have Marsians/Martians unchecked in Firewall Options, but as a blocklist, I use FULL BOGON

image
image1149×633 55.4 KB

image
image1374×153 17.7 KB

14

Bogons can be dealt with in two places.

Firstly in the firewall rulesets where to stop the logging you have to turn of the Logging in Firewall Options as you showed.

Secondly in the IP Block List where to stop the logging you have to disable the checkbox named “Log dropped packets” at the top of the IP Block Lists WUI page.

As the IP Blocklist is dealt with early in the sequence before the firewall iptables rules then you will still see the logs even if the firewall options logging is turned off, if the IP Block List logging is still enabled.

2 Likes
15

Will this disable logging of all the blocklists or just the BOGON?

16

It will disable logging of all the blocklists. The logging enable/disable is only at the top level of the blocklists.

2 Likes
17

Thanks @bonnietwin (Adolf),

I just upgraded successfully to 184. Your patch to control logging of dropped packets from / to hostile networks has been very welcomed.

Thank you for your time and dedication to the IPF cause - IPF is a better security product because of folks like you.

I have made a token donation to show my appreciation.

4 Likes
18

It looks like I missed something. @casabenedetti has flagged up in a post today that the DROP_HOSTILE was not showing up in the logs, although they were set as enabled.

https://community.ipfire.org/t/the-blocking-logs-of-hostile-drop-in-and-hostile-drop-out-appear-to-be-absent-although-the-chains-mentioned-regularly-block-hostile-traficking/11315

If you just press the Save button on the Firewall Options page and then reboot, it will then work correctly.

I obviously missed some command in the update.sh script to include the modified logging options.
I will look to get that corrected as quickly as possible so future upgraders to 184 don’t have the problem.

3 Likes
19

Why reboot is necessary for apply such options?

20

I presume because some of them need to have the iptables completely re-constructed not just some rules appended and that is done as part of a reboot and better not done on a connected firewall.

Above is just my belief. I have not checked through the code to confirm or not.

1 Like