Actually it is two questions, the new feature of address blacklists is actually the same as the lists from the IDS rules, or am I wrong and it is an additional feature? Where exactly is the difference the origin seems to be the same?
Second thing all the messages from the blacklist are nicely displayed in the log, there is even an extra menu where you can look at everything in detail, but why please the kernel log is overloaded with it in the overview and there was no extra point created. The kernel log of the gui has become completely unusable from the flood of messages that arrive there, can not design it differently?
Therefore you can remove some stuff from the IPS and have it focus on the bits not dealt with by IP Blocklist or the “drop all traffic from and to hostile networks” feature.
Yes, it would be good to raise this in the IPFire bug system as a feature improvement.
@timf and @helix could you comment on this improvement suggestion.
Ok, but how can I see from the IPS rules that they are IP blocking, to me the rules look more like they apply by port and packet content and not by IP. How do I know what to disable in the IPS?
You have to do some searching on the rules definitions or other descriptions provided by the ruleset providers.
For example, with Emerging Threats ruleset there is one called emerging-dshield.rules so don’t bother to check this one if you have the DSHIELD blocklist set up in IP Blocklists.
In the IP Blocklists if you click on the Emerging_Compromised link in the table it takes you to the Emerging Threats section for that rule set and there you can find this is the same as emerging-compromised.rules so again that can be unchecked in the IPS.
Basically you have to look through the lists anyway to make sure that you are only blocking what you want to block and you have to do some checking to see if you have some overlap between the different systems.
I have modified it a tiny bit.
The version should be 2 for IPFire2.x and not 3 which is for IPFire3.x
For any IPFire2.x bugs the component should always be the three dashes. The named components are for IPFire3.x bug use.