Question to “IP Address Blocklist”:

Security
1

Wondering why the IP Address Blocklist don’t „block communication“, as it by Intrusion Prevention System?

Background is the Intrusion Prevention System works at every firewall state;
where IP Address Blocklist works just when the “Default firewall behavior” for both FORWARD and OUTGOING, are set to Blocked state.

IP_Address_Blocklist-004
IP_Address_Blocklist-004812×387 15.3 KB

Shouldn’t IPAB work equally? At every firewall status for safe.

IP_Address_Blocklist-001
IP_Address_Blocklist-001818×637 36.6 KB

Furthermore where made some tests, we recognized that somehow the IP Address Blocklist - Logs not work, when ex. ping IPs from TOR ALL list and others were blocked.
The count stay at 0 and 0% .
For test we took ex. the local IPFire list /var/lib/ipblocklist/TOR_ALL.conf for test…

IP_Address_Blocklist-003
IP_Address_Blocklist-003584×596 8.39 KB

IP_Address_Blocklist-002
IP_Address_Blocklist-002818×603 30.7 KB

BR
Trash

2

HI @trash-trash , I didn’t understand. it’s blocking , but not logging?, or IPBAdresses is disabled although being set to Drop in the webgui firewall options??
970p

3
  • IP Address Blocklist (just blocks when) the option "Default firewall behavior” FORWARD and OUTGOING, both are set to Blocked state.
  • Sending pings to IPs of example TOR ALL, at staus block, were not counted in the log, you see the counts are 0 and 0%.

Test that by setting both to Allowed, are you then able connect to TOR?

BR
Trash

1 Like
4

I had the IPBA engine working before with both options forward enabled. When we talked on PT rulesets that was my setup and was blocking Adresses from the lists. At the moment both are set to block and other 3 above to reject - working fine as well.
PS- I’m chosing reject to send signal of being a monitored network, except for tuneling protocols
G70P

5

@trash-trash sorry to ask, which release are you on, stable, tests or unstable?

6

I disabled every firewall rule.
I set firewall state to “Allowed” FORWARD and “Allowed” OUTGOING.
IDS kept to enabled.
SSH to IPFire, copy the IP Blocklist “TOR-ALL” file to PC… This list is active at IP Blocklist.
Now I send pings to IPs of that list, I get answer … are not droped.
I went to IP Blocklist Log, no recognition 0 and 0% .

I took an IP from IDS and sent ping, those pings are droped… either at this firewall state.

Now I set the firewall state back to “Blocked” FORWARD and “Blocked” OUTGOING…
Send ping to IPs of “TOR_ALL” list, they were now droped, but just in this firewall state.
I went to IP Blocklist Log, no recognition 0 and 0% .

BR
Trash

7

The other lists are droped?

8

It may happen that if you have TOR suricata rules enabled as well on the configuration, it may be first blocked on suricata and so doesn’t activate ip adress blocker?! /var/lib/suricata/emerging-tor.rules
Regards
G70P

9

@g70p
Suricata and IP Blocklist are two functions IPFire offer.
The matter is:
Suricata acts (at every firewall state), for IPs I took from Suricata lists.
IP Blocklist acts (at just blocked firewall state), for IPs I took from IP Blocklists.

So meant is, either IP Blocklist should act when firewall state is set to “Allowed” forwarding and “Allowed” outgoing.

That the log of IP Blocklist now not work at my IPFire, is an second matter.

BR
Trash

10

That’s awkward! Check if it’s logging the right time and day!
G70P

11

Captura de ecrã 2023-06-29 204522
Captura de ecrã 2023-06-29 204522374×637 16.1 KB

Captura de ecrã 2023-06-29 204410
Captura de ecrã 2023-06-29 2044101135×582 18.3 KB

Captura de ecrã 2023-06-29 204342
Captura de ecrã 2023-06-29 2043421084×650 18.8 KB

filtering and logging
suricata disabled on Red with firewall options to block both and reject.
Still having trouble with time settings,
Had to allow DNS on 53 but still looking for a way to keep only DOH and forward it
I believe there’s a streaming protocol H.323 that is not present that is being blocked by IPS, that’s why I need to disable Suricata on Red :smiley: to watch youtube.
Considerations about firewall rules are welcome.
Regards
G70P