New feature as of Core Update 170 -> IP-Reputation Blocking to keep known threats out.

Based on prior development by Tim FitzGeorge, Stefan brought a new feature to the firewall engine, which allows the easy activation of various public IP-based blocklists, just by a single click.

All enabled blocklists are updated automatically at an appropriate interval (a technique we already deployed for updating IPS rulesets), and protect against various threats, such as IP addresses or networks having a poor reputation, being involved with cyber crime hosting, or simply not allocated, hence no traffic should be routed to and from them.

You probably wonder why IPFire now comes with yet another way for IP-based blocking. There are several motivations behind this:

  • IP blocklists are already available for the Intrusion Prevention System. However, it is a rather expensive way for dealing with network traffic that can already be safely dropped based on the reputation of involved IPs. There is no need to waste more CPU resources on it than absolutely necessary - why not let the firewall engine itself handle such traffic, and bother the IPS with more relevant stuff?

  • The "drop all traffic from and to hostile networks" feature is meant as a basic level of network protection suitable for IPFire's entire user base, hence enabled by default. It protects against "the baddest of the bad" on the internet, and does not require any attention or maintenance whatsoever.

  • IP blocklists, as introduced with this Core Update, provide a more fine-grained level, and your mileage may vary: For example, blocking Tor traffic might be appropriate for some IPFire users, but certainly not for all of them. Some may find certain blocklists to be too aggressive for their use-case.

One size doesn't always fit all. The IP blocklist feature is IPFire's way of take this into account, and make further protection against network threats easy and resource-efficient.

The list category is a guide to how a list is generated. A reputation list trades off protection against false positives, so it is less likely to block addresses that have both good and bad traffic, but that means that it will not react as quickly to new threats compared to some of the other lists, but this lists all have their own purposes - you shouldn’t just enable one from each category. Ideally follow the link and try to understand what the list is meant to do before you decide whether to enable it or not.

Don’t enable all the lists - some of them are included in others:

  • BOGON_FULL includes BOGON
  • TOR_ALL includes TOR_EXIT

In general the first of each of these groups blocks more addresses, which provides better protection, but is more likely to block sites when it shouldn’t.

Don’t use the TOR lists if you’re using Tor.

The BOGON lists can completely block access to the internet if your RED interface uses one of the public IP address ranges (like 192.168. or 10.), but should be enabled otherwise.

EMERGING_FWRULE is a composite of some of the other lists, but updates only once a day (most of the lists can update several times a day).

Check if IP address is blocked

To find out if an IP is currently being blocked by an enabled list.

Create a new file and add the following code:

[[ -z "$1" ]] && { echo -e "Parameter is empty.\n  Usage: <IP address>" ; exit 1; }
while read setname; do
    results=$( /usr/sbin/ipset test "${setname}" "${1}" 2>&1 ) && echo "${results}"
done <<< $( /usr/sbin/ipset list -n )

And make executable:

chmod -v a+x

To execute: