There is an untested part of GDPR here.
IP Addresses can be personally identifying information if they are associated with other information (people’s identities). Web and firewall logs are are record of (some) internet activities and these activities can be deemed sensitive under GDPR.
In IPFire’s case, the combination of DHCP records and the proxy logs allows internet browsing to be associated with an identified computer, which may or may not be a single individual’s computer. More information (from another database / source) is needed to make this personally identifying.
If that “other information” is held within the same company / organisation, then there is the potential for the company / organisation to associate the internet activity with the individual and so the logs then contain potentially sensitive personal information (e.g. porn site browsing).
If the other information is held elsewhere, then you’re into a GDPR grey area. There have been no test cases about whether combining databases from inside a company / organisation and outside it to identify individuals’ activities makes that personally sensitive information.
If there is no database within the company / organisation which associates the computer with a person, then the trail runs cold there and it’s not personally identifying. This is unlikely within most organisations as they have, for instance, authentication systems which identify individuals and their computer or IP Address.
The masquerading firewall (IPFire) assists in protecting such sensitive information from outside parties by combining all the internet activity of all the individuals into one IP Address externally, so reducing the likelihood that any request or pattern of internet activity can be associated with an individual.
So, in summary, the firewall logs could be construed as personally identifying and the internet browsing activity could be sensitive so they’re best protected as if they were. But as this is a firewall, you’d hope the device is well protected against access and so the logs are secure. That should be enough, unless you’re extracting the logs and storing them elsewhere. In that case, you need to do whatever you need to do to protect that database.
Yours
David