Where to find the log of "location blocked" packets?

Hi, I’m using ipfire from some weeks and I hope to learn many things…

In the “Location Block” page I selected ALL the countries except mine, saved the new created rules, but then I noticed that in my firewall log I can no longer see dropped packets from blocked countries… Is this normal? If that’s the case, how can I see the log of all the dropped packets from blocked countries?

Thanks to all the people involved in this great project! :+1:

Welcome!

This is exactly the purpose of the location filter. Packets are being dropped anyways, but enabling the filter will keep the log quieter.

Ok, but I think it would be nice to have an option to see a log of all these blocked IPs. I would like to know from which countries I receive attempts to access to my home server and, at the same time, I want ipfire to block them. Is it possible to do that?
Thanks!

In that case, disable the entire location filter and you will see logs in the logging section.

All incoming packets are always blocked unless you create any port forwardings.

Yes, I use port forwarding for a service on my home server. I would like to block all attempts to access to my home server from countries different from mine, so I used the location blocker. It works but then I cannot check from what countries I receive unwanted attempts to login.

Maybe I could disable the location filter and modify the nat firewall rule to accept packets only from my country? In this way I could see in the log access attempts from countries different from mine and at the same time block them, right?

Anyway I find strange that there isn’t a log somewhere to check all the blocked attempts from the location filter (or, even better, an option to give the user the ability to choose if he/she wants to log or not those blocked attempts).

Yes, that is the way to go. For that port forwarding, you can select one country (or create a group with multiple) so that the port forwarding is only working for those.

It is strange, and I wouldn’t build it the same way again because most people use it wrong. It simply does seem too obvious.

Ok, thank you very much.
Now a related question is: I set an OpenVPN server on ipfire. I think ipfire created internally a firewall rule (not visible in the WEB UI) to allow openvpn access from everyone (with right certificate/credentials, of course) on the default vpn port. With “Location Block” disabled, how can I prevent users from other countries from attempting to access the vpn? I mean, the firewall rules I can create in the WEB UI, have priority on the openvpn internal rule ipfire creates?

These rules cannot be influenced at the moment, and I believe there is no harm in it from a security point of view. OpenVPN always requires certificate authentication which cannot be broken.

We have talked about this before and might add this feature you are asking for, but it is not very high on our priority list.

So, the OpenVPN server on ipfire is not influenced by custom firewall rules and it’s not influenced by the Location Blocker enabled?

Sorry, I don’t want to be annoying, but I think it would be very very useful having the following option in the IPFIRE Location Blocker page:

“Log Location Blocked packets” [Yes/No]

If I don’t have the above option, then if I want to block (drop) all OpenVPN packets with IPs not coming from my country and at the same time I want to log blocked attempts, how can I do it? Maybe a custom rule in the firewall.local script? But I’m just learning so I’m not so good with these iptables things…

If you disable the location filter (and do not disable any logging on the firewall options page) all packets that are being dropped will be logged.

Hi, actually I already disabed the location filter so that I can check stats on dropped packets. But as I said before, I would like to block (and log) openvpn connection attempts from other countries, and from my limited understanding of this schema (I’m not versed in iptables)…


…I think the OVPNINPUT table is located “before” the INPUTFW table, so if I create an input firewall rule in the WEB UI to block openvpn access from other countries, this rule will be placed in the INPUTFW table, i.e. “after” the OVPNINPUT table, so it will be never reached.

With an option to log the location blocked packets I could enable the location filter (all countries flagged apart from mine), block all unwanted traffic from other countries, and at the same time I could log them for statistic purposes.

Anyway, I think I could manually add some firewall rules inside the “firewall.local” script, and these should get priority because the CUSTOMINPUT table is placed before the OVPNINPUT table, but then I wonder if the packets dropped due to these manually added rules would be logged…