Bug 11532

Summary: Guardian does not block malicious destination IPs
Product: IPFire Reporter: Peter Müller <peter.mueller>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED DUPLICATE QA Contact: Peter Müller <peter.mueller>
Severity: Security    
Priority: Will affect an average number of users CC: michael.tremer
Version: 2Keywords: Security
Hardware: all   
OS: All   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=10273
https://bugzilla.ipfire.org/show_bug.cgi?id=11761
Bug Depends on: 10273    
Bug Blocks: 11542    

Description Peter Müller 2017-10-26 20:57:06 UTC 
When accessing a malicious IP (tested with 37.120.189.254, which is listed as a C&C server in the Emerging Treats botcc ruleset) from a network behind IPFire (i.e. GREEN), snort triggers an alert:

Date: 10/26 20:40:01
Name: ET CNC Shadowserver Reported CnC Server TCP group 27
Priority: 1
Type: A Network Trojan was Detected
IP Info: 87.173.XXX.XXX:37687 -> 37.120.189.254:80
SID: 2404052
Refs: http://www.shadowserver.org, http://doc.emergingthreats.net/bin/view/Main/BotCC

However, since the source IP addres is the firewall itself, Guardian does nothing. The client is able to access the C&C IP.

Guardian should check if a snort alert is triggered because of the _destination_ IP. If yes, and it does not belong to the DNS servers or the machine's gateway, the destiation IP should be blocked.

I consider this bug being a security risk.
Comment 1 Peter Müller 2017-11-08 16:22:24 UTC 
WIP, see: https://wiki.ipfire.org/devel/telco/2017-11-06
Comment 2 Peter Müller 2018-06-19 20:33:52 UTC 
- ping -
Comment 3 Peter Müller 2018-07-11 18:47:10 UTC 

*** This bug has been marked as a duplicate of bug 10273 ***