Question to “IP Address Blocklist”:

Wondering why the IP Address Blocklist don’t „block communication“, as it by Intrusion Prevention System?

Background is the Intrusion Prevention System works at every firewall state;
where IP Address Blocklist works just when the “Default firewall behavior” for both FORWARD and OUTGOING, are set to Blocked state.

Shouldn’t IPAB work equally? At every firewall status for safe.

Furthermore where made some tests, we recognized that somehow the IP Address Blocklist - Logs not work, when ex. ping IPs from TOR ALL list and others were blocked.
The count stay at 0 and 0% .
For test we took ex. the local IPFire list /var/lib/ipblocklist/TOR_ALL.conf for test…

BR
Trash

HI @trash-trash , I didn’t understand. it’s blocking , but not logging?, or IPBAdresses is disabled although being set to Drop in the webgui firewall options??
970p

  • IP Address Blocklist (just blocks when) the option "Default firewall behavior” FORWARD and OUTGOING, both are set to Blocked state.
  • Sending pings to IPs of example TOR ALL, at staus block, were not counted in the log, you see the counts are 0 and 0%.

Test that by setting both to Allowed, are you then able connect to TOR?

BR
Trash

1 Like

I had the IPBA engine working before with both options forward enabled. When we talked on PT rulesets that was my setup and was blocking Adresses from the lists. At the moment both are set to block and other 3 above to reject - working fine as well.
PS- I’m chosing reject to send signal of being a monitored network, except for tuneling protocols
G70P

@trash-trash sorry to ask, which release are you on, stable, tests or unstable?

I disabled every firewall rule.
I set firewall state to “Allowed” FORWARD and “Allowed” OUTGOING.
IDS kept to enabled.
SSH to IPFire, copy the IP Blocklist “TOR-ALL” file to PC… This list is active at IP Blocklist.
Now I send pings to IPs of that list, I get answer … are not droped.
I went to IP Blocklist Log, no recognition 0 and 0% .

I took an IP from IDS and sent ping, those pings are droped… either at this firewall state.

Now I set the firewall state back to “Blocked” FORWARD and “Blocked” OUTGOING…
Send ping to IPs of “TOR_ALL” list, they were now droped, but just in this firewall state.
I went to IP Blocklist Log, no recognition 0 and 0% .

BR
Trash

The other lists are droped?

It may happen that if you have TOR suricata rules enabled as well on the configuration, it may be first blocked on suricata and so doesn’t activate ip adress blocker?! /var/lib/suricata/emerging-tor.rules
Regards
G70P

@g70p
Suricata and IP Blocklist are two functions IPFire offer.
The matter is:
Suricata acts (at every firewall state), for IPs I took from Suricata lists.
IP Blocklist acts (at just blocked firewall state), for IPs I took from IP Blocklists.

So meant is, either IP Blocklist should act when firewall state is set to “Allowed” forwarding and “Allowed” outgoing.

That the log of IP Blocklist now not work at my IPFire, is an second matter.

BR
Trash

That’s awkward! Check if it’s logging the right time and day!
G70P




filtering and logging
suricata disabled on Red with firewall options to block both and reject.
Still having trouble with time settings,
Had to allow DNS on 53 but still looking for a way to keep only DOH and forward it
I believe there’s a streaming protocol H.323 that is not present that is being blocked by IPS, that’s why I need to disable Suricata on Red :smiley: to watch youtube.
Considerations about firewall rules are welcome.
Regards
G70P