New Firewall options Spamhaus DROP

First, thank you to everyone for the new features in core 165.

I apologize for a long question I seem to be confused by the variety of choices :star_struck: I did read some of the very resources (listed on the bottom of this post)

I see there are 3 very similar check boxes:

In Firewall Options:

In Location block
image

In IPS

I am curious what is the practical difference between all of them.
I assume, these rules have 3 different sources?
or they have a different update schedule?
like I am using ET COMMIUNITY for IPS, so these rulesets are at least 1-2 days old.

I also see that checking the Firewall Options require reboot, as the others just click Save.

This is kind of technical:
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/initscripts/system/firewall;h=2a70feac2a091d59857885d7c6d0ce2e423ef668;hb=HEAD#l262

1 Like

One big difference between the Spamhaus DROP from the Firewall Options page is that it drops packets coming in and going out. If you have ended up with some malicious malware in your network and it starts to communicate with its C&C server on one of these Hostile Networks then this option will prevent it from doing so.

Usually if you don’t have any servers and therefore no Port Forward rules then Location Blocking and the Hostile networks firewall option and the IPS drop rules for incoming traffic don’t provide any additional protection to incoming threats on Red because they are already blocked. However, as many people don’t have their Outgoing default policy set as Blocked with specific rules to allow specified traffic out to specific IP’s or ranges of IP’s then having Hostile Networks blocked also for outgoing ensures no accidental contact because any communication out can then come back as it will be a tracked connection linked to the original outgoing traffic.
Then it makes sense to review the Emerging Threats rules sets to identify the types of internal or outgoing traffic that you would want to spot and stop. If you are running mail servers then it probably makes sense to select the emerging-imap.rules and emerging-pop3.rules but not if you aren’t or if you are using voip you might want to turn on the emerging-voip.rules.

To me enabling the Drop hostile networks packets in both directions is a no-brainer. I don’t want my systems to contact or be contacted by those networks ever.

IPS I then review to figure out what type of traffic I would want to pick up and select those rules and after running it for a period without dropping and then reviewing the results for any false positives, I change it to a drop setting.
Then every couple of months I have a look through the rulesets to see if they still make sense. If I were to change something in my network significantly, such as set up my own mail server then I would update the rules selected at launch of that service.

I think reading through resources like those you listed is a good approach and of course there can also be good tips or suggestions highlighted in this forum that make you review or add to the used rulesets. I have had that a few times.

As the overlap coverage of these three approaches is not 100% then, unless you have a performance degradation of your system, you can always run all three and see what results you get in your logs.

5 Likes

Adolf,

Thank you for your thorough response :+1:

I enabled all 3
My logs are exploding after I enabled all 3 options.
My IPS log is around 2500 entries, which is a usual daily number
What grew hyperbolically is my Firewall log with 4500 entries, all DROP_HOSTILE hits.

Do you mean to change IPS rules from ALERT to DROP?
How could you change the IPS settings to DROP?
just the Monitoring check mark?

That means that there are a lot of hostile networks trying to access your network. If you have no or very few open ports from red to your internal lan then these would be getting dropped and logged in the past. If you have no open ports on your system then you could turn off the drop hostile feature but you would then lose the dropping of any traffic going from your internal network to a hostile network.

If you do have ports open to access services on your lan from the internet then I would definitely leave the drop hostile turned on because then you are stopping them trying to find weak points in your services.

I believe that there is work in progress to add a logging on/off feature for the drop hostile incoming.
I think that you would never want to switch off logging for hostile outgoing because that is when someone internally is trying to access one of those hostile networks, inadvertently or not, or that there is a compromised system in your network. In both cases you would want to not only drop that but know about it.

Yes. In the IPS page you can check a box labelled “Monitor traffic only” and in that case the rules will be applied and results logged but no actual drop of the traffic occur. It will effectively be an Intrusion Detection system. Once you are happy that what is being flagged is correct you can uncheck that box and from then on it will be an Intrusion Prevention system and all results it finds will be dropped.

3 Likes