Question to new IP Address Blocklists

mumpitz · 22 January 2023 12:17

Actually it is two questions, the new feature of address blacklists is actually the same as the lists from the IDS rules, or am I wrong and it is an additional feature? Where exactly is the difference the origin seems to be the same?

Second thing all the messages from the blacklist are nicely displayed in the log, there is even an extra menu where you can look at everything in detail, but why please the kernel log is overloaded with it in the overview and there was no extra point created. The kernel log of the gui has become completely unusable from the flood of messages that arrive there, can not design it differently?

Regards

larsen · 20 March 2023 09:37

As for the log: You should report this as a feature request. I also think it would be best to have this separated.

bonnietwin · 20 March 2023 12:09

Yes it is the same but the IP Blocklist approach is much less reaource intensive than the IPS is.

See the Core Update 170 release announcement
https://blog.ipfire.org/post/ipfire-2-27-core-update-170-released

and/or the wiki page for the IP Blocklist
https://wiki.ipfire.org/configuration/firewall/ipblocklist

Which cover that point.

Therefore you can remove some stuff from the IPS and have it focus on the bits not dealt with by IP Blocklist or the “drop all traffic from and to hostile networks” feature.

Yes, it would be good to raise this in the IPFire bug system as a feature improvement.

@timf and @helix could you comment on this improvement suggestion.

mumpitz · 22 March 2023 09:02

Ok, but how can I see from the IPS rules that they are IP blocking, to me the rules look more like they apply by port and packet content and not by IP. How do I know what to disable in the IPS?

mumpitz · 22 March 2023 09:13

Where can I do this?

bonnietwin · 22 March 2023 09:13

You have to do this as a bug report but add feature request in the title.

bonnietwin · 22 March 2023 09:25

You have to do some searching on the rules definitions or other descriptions provided by the ruleset providers.

For example, with Emerging Threats ruleset there is one called emerging-dshield.rules so don’t bother to check this one if you have the DSHIELD blocklist set up in IP Blocklists.

In the IP Blocklists if you click on the Emerging_Compromised link in the table it takes you to the Emerging Threats section for that rule set and there you can find this is the same as emerging-compromised.rules so again that can be unchecked in the IPS.

Basically you have to look through the lists anyway to make sure that you are only blocking what you want to block and you have to do some checking to see if you have some overlap between the different systems.

mumpitz · 22 March 2023 10:38

https://bugzilla.ipfire.org/show_bug.cgi?id=13068

I did it, Hopefully I have filled in everything correctly.

ok, thx, I will have a look in the rulesets, when I have time to do so.

bonnietwin · 22 March 2023 11:28

I have modified it a tiny bit.
The version should be 2 for IPFire2.x and not 3 which is for IPFire3.x
For any IPFire2.x bugs the component should always be the three dashes. The named components are for IPFire3.x bug use.