Hi, jep this works very nice, also I found an other message which is Tor related und I tried to edit the file by myself, but I don’t know the exact stream event so please tell me if this correct
pass tcp $EXTERNAL_NET any → $HOME_NET $TOR_RELAY_PORT (msg:“LOCAL No alerts for 3way handshake SYNACK to server on SYN recv”; flowbits:noalert; stream-event:3whs_SYNACK_to_server_on_SYN_recv; classtype:protocol-command-decode; sid:1200005; rev:1;)
second thing i added a new line for the 3way handshake excessive different SYN/ACKs messages, because they comes also from my IP on Tor Port to others, so I changed only the directions.
pass tcp $EXTERNAL_NET any → $HOME_NET $TOR_RELAY_PORT
pass tcp $HOME_NET $TOR_RELAY_PORT → $EXTERNAL_NET any
Third thing I saw in first line is a “!” before the $HTTP_PORTS, this I deleted because I get this messages with HTTP gzip decompression failed furthermore. Perhaps it works now.
Everything else in the IPS log are sometimes sparking sockets and sometimes my cell phone, and it is only about 10% of what otherwise arrived here…already much clearer.
Thank you very much for your work and help.
As I understand it, these are priority 3 messages, which are just messages anyway and don’t block anything.
Since I run a Tor Relay, these messages clutter up my log, so I wouldn’t notice important things.
I don’t think it would be good if everyone did this, because these messages only come because of the Tor relay. But I would like to see the possibility to use such a function in ipfire as soon as you use the Tor relay. Also a filter function in the logs would be very good, so that you can simply hide the messages that you consider unimportant as long as everything works what should work.
The absolute crowning glory would be a function in the logs that you could create a firewall rule specifically for a single event with a simple mouse click. This helps the people who have a problem with the manual creation, like me. I’ve been using ipfire for over 10 years now, but I despair of this feature because it never works the way I want it to and I’m not really stupid.
And exactly the same problem I have with the new locations spamhouse blocklists, where somewhere also IPs come from a few Tor relays.
But maybe I’ll open another topic for that.
Because as a Tor Relay operator I’m not interested in that, I have to be able to communicate with all relays. I do not run a web or mail server, only a VPN server.
The Tor Relay will soon be joined by a BTC and Monero node, but they will run on a computer, not on the ipfire. I would like to keep my logs as clean as possible and we are well on our way.
I had/have up to 20K messages a day in there and I’m not that important that should hit here so much and it’s always the same messages.