The blog post blog.ipfire.org - Introducing elementary network protection: Dropping all traffic from and to hostile networks by default announces a very good and easy to use feature. Thanks a lot for that 
. Does it have the same effect as when I use the location based filter and tick the “hostile network safe to drop” box? Or will that just block incoming traffic on Red and not outgoing from Green?
1 Like
Hi,
glad you like this feature. Let’s hope it makes the internet a less dangerous place for IPFire users… 
No.
Yes.
Actually, the incoming traffic is not really that interesting to me anymore. Every software should be able to handle bad packets from the internet (at IPFire, we certainly do 
). What’s more interesting nowadays in terms of security is the outgoing traffic of clients and so on - hence the “drop hostile” feature.
Thanks, and best regards,
Peter MĂĽller
4 Likes
Hello @pmueller,
If the dest_ip is both XD and also belonging to a country to where exit traffic is blocked (custom/manual rule in FORWARDFW) which will take precedence.
I guess my question can be also asked like this: in what chain the XD block will be placed, and what is that chain position relatively to FORWARDFW?
For years I am running in FORWARDFW rules to block many countries… therefore there is a high chance that my rules overlap the upcoming Safe to Drop rules …
Thanks!
H&M
Hi,
sorry for my late reply.
The “drop hostile” feature comes relatively at the beginning of the firewall engine, so it will take precedence over any firewall rules configured in the GUI.
Depending on what countries these are, I don’t think there will be a near-complete overlap. For example, a decent amount of these “hostile” networks are located in US and NL, which are rarely blocked in general due to many false positives.
However, since the “drop hostile” feature logs dropped packets, you will notice how big the overlap is by looking at the prefixes of dropped packets in the firewall log.
Thanks, and best regards,
Peter MĂĽller