Re: Logging Locationblock packets

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3238 bytes --]

Hello Rob,

Good to hear from you again.

> On 9 Nov 2024, at 14:00, Rob Brewer <ipfire-devel(a)grantura.co.uk> wrote:
> 
> As  a contributor to the SANS ISC,  I email my IPTABLES logs hourly to 
> the 
> Dshield database, however the default IPFire IPTABLES logs are incomplete 
> since packets dropped by Locationblock are not logged to syslog.

This is correct.

> As a workaround I edit the locationblock function of rules.pl to add a 
> IPTABLES rule to log the dropped packets. This edit does not of course 
> survive any Core-Updates that upgrade rules.pl and the edit needs to be 
> re-applied.
> 
> In addition, unless the Locationblock packets are logged to syslog the 
> data 
> displayed in the Firewall logs sections are incomplete as the packets 
> dropped by Location Block are not displayed.
> 
> I understand that the original intension of the Location Block feature 
> was 
> to reduce the amount of log messages on installations running on 
> extremely 
> cheap flash storage. I suspect that these installations are now almost 
> zero 
> especially since IPFire no longer supports 32 bit versions.
> 
> The obvious solution to this to make Location Block logging selectable as 
> a 
> firewall option and my quick look at making a patches for this would seem 
> to 
> be fairly simple task to rules.pl and and optionsfw.cgi. 
> 
> I would be happy to provide the necessary patches should this be 
> acceptable.

I think a couple of things have changed since we introduced this feature and we have also learned a couple of lessons here:

* Yes it is true that this was introduced to keep the logs smaller, but not necessarily to avoid using storage, mainly to keep them readable by a human. I was always a bit doubtful about this and believe that apart from this, there is no more value in a general location blocking feature. The firewall will drop those packets anyway.

* People seem to misunderstand this feature: The block as many countries as they can click on and think that this makes things “more secure”, which of course it doesn’t.

* What I personally like as a feature is to apply location filters to individual rules. That allows to apply rate limits in a few places and easily select some larger groups of potentially less interesting traffic.

* Back when this was introduced there was also a lot less use of botnets as we know them now. Pretty much all recent DoS attacks I remember have been coming from all over the world because systems where compromised wherever they were. This renders the filter absolutely useless.

* Infrastructure is becoming more centralised. Some people attempt to block the US and pretty much nothing works any more. Well…

Therefore I am happy to rethink this feature - personally I would even remove it entirely, but I don’t like to handle the stress about this now.

I think this should log now. I don’t think there is any legitimate reason to disable firewall logging at all. This is the paper trail that you want when debugging anything or doing forensics on an attack. Certainly bad flash is not a valid reason for me.

I would be happy to hear some more opinions on this from the list.

-Michael