Re: [PATCH 0/5] ipblacklist: IP Address Blacklists

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 0/5] ipblacklist: IP Address Blacklists
Date: Mon, 25 Nov 2019 21:09:00 +0000	[thread overview]
Message-ID: <20e899be-8ec0-c27a-a0ae-82b92332faab@ipfire.org> (raw)
In-Reply-To: <20191125201309.10840-1-ipfr@tfitzgeorge.me.uk>

[-- Attachment #1: Type: text/plain, Size: 4238 bytes --]

Hello Tim,

thank you very much for providing this patchset. After having read
through it, I consider this being an extremely helpful addition to
IPFire, especially when it comes to dropping bogon and unallocated
prefixes - which can be safely enabled by default as far as I am concerned.

Unfortunately, I am currently busy, so please give me a few days for
having a closer look at all these patches. :-)

Just a footnote: The DShield/ISC SANS feed is also available at
http://feeds.dshield.org/block.txt , which seems to be the preferred
location for fetching the file (I believe https://www.dshield.org/block.txt
exists for compatibility reasons).

blocklist.de (https://lists.blocklist.de/lists/all.txt) might be another
interesting data feed; I will hand in patches for it as soon yours
were accepted.

Many thanks again, and best regards,
Peter Müller

> Implements downloading of IP address blacklists and implementing
> them as IPSets.  A separate IPSet is used for each blacklist; this
> simplifies handling of overlaps between different lists.  Traffic
> to or from the red0/ppp0 interface is checked against the IPSets.
> The check is placed before the IPS check as the IPSet check is
> much lighter on CPU use which means that overall CPU use is
> reduced.
> 
> The available lists are defined in a separate file.  A WUI page
> allows the desired lists to be enabled and the interval between
> checks for updates to be defined.  A minimum update check interval
> is defined for each blacklist in the definition file.
> 
> Optionally, an automatically updating blacklist can be enabled.
> This adds addresses to an IPSet if the rate of packets dropped by
> the default red0/ppp0 input policy exceeds a user defined threshold.
> The addresses are kept in the IPSet until a user defined period
> without packets from the blocked address has passed.
> 
> Tim FitzGeorge (5):
>   ipblacklist: Main script
>   ipblacklist: WUI and language file
>   ipblacklist: Ancillary files
>   ipblacklist: Modifications to system
>   ipblacklist: Build infrastructure
> 
>  config/backup/backup.pl                     |    1 +
>  config/backup/include                       |    2 +
>  config/firewall/firewall-policy             |    5 +
>  config/ipblacklist/sources                  |  151 +++
>  config/logwatch/ipblacklist                 |  103 ++
>  config/logwatch/ipblacklist.conf            |   34 +
>  config/menu/50-firewall.menu                |    5 +
>  config/rootfiles/common/aarch64/stage2      |    1 +
>  config/rootfiles/common/configroot          |    2 +
>  config/rootfiles/common/ipblacklist-sources |    1 +
>  config/rootfiles/common/logwatch            |    2 +
>  config/rootfiles/common/misc-progs          |    2 +
>  config/rootfiles/common/stage2              |    1 +
>  config/rootfiles/common/web-user-interface  |    1 +
>  config/rootfiles/common/x86_64/stage2       |    1 +
>  html/cgi-bin/ipblacklist.cgi                |  725 +++++++++++++
>  html/cgi-bin/logs.cgi/log.dat               |    2 +
>  langs/en/cgi-bin/en.pl                      |   31 +
>  lfs/configroot                              |    4 +-
>  lfs/ipblacklist-sources                     |   53 +
>  lfs/logwatch                                |    2 +
>  make.sh                                     |   11 +-
>  src/initscripts/system/firewall             |   20 +
>  src/misc-progs/Makefile                     |    2 +-
>  src/misc-progs/getipsetstat.c               |   28 +
>  src/misc-progs/ipblacklistctrl.c            |   52 +
>  src/scripts/ipblacklist                     | 1558 +++++++++++++++++++++++++++
>  27 files changed, 2792 insertions(+), 8 deletions(-)
>  create mode 100644 config/ipblacklist/sources
>  create mode 100644 config/logwatch/ipblacklist
>  create mode 100644 config/logwatch/ipblacklist.conf
>  create mode 100644 config/rootfiles/common/ipblacklist-sources
>  create mode 100644 html/cgi-bin/ipblacklist.cgi
>  create mode 100644 lfs/ipblacklist-sources
>  create mode 100644 src/misc-progs/getipsetstat.c
>  create mode 100644 src/misc-progs/ipblacklistctrl.c
>  create mode 100755 src/scripts/ipblacklist
>

next prev parent reply	other threads:[~2019-11-25 21:09 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-25 20:13 Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 1/5] ipblacklist: Main script Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 2/5] ipblacklist: WUI and language file Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 3/5] ipblacklist: Ancillary files Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 4/5] ipblacklist: Modifications to system Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 5/5] ipblacklist: Build infrastructure Tim FitzGeorge
2019-11-25 21:09 ` Peter Müller [this message]
2019-11-27 21:34   ` [PATCH 0/5] ipblacklist: IP Address Blacklists Tim FitzGeorge
2019-11-28 12:03 ` Michael Tremer
2019-11-28 21:39   ` Peter Müller
2019-11-29 23:25     ` Tim FitzGeorge
2019-12-02 11:17       ` Michael Tremer
2019-12-04 17:05         ` Peter Müller
2019-12-05 22:25           ` Michael Tremer
2019-12-08 20:50             ` Tim FitzGeorge
2019-12-13 23:11               ` Michael Tremer
2019-12-02 11:06     ` Michael Tremer
     [not found] <c0c3b48a-f773-8002-a004-82ff150ea1bb@tfitzgeorge.me.uk>
2019-12-16 22:20 ` Michael Tremer
2019-12-16 23:05   ` Tom Rymes
2019-12-18 12:10     ` Michael Tremer
2019-12-28 21:17       ` Tim FitzGeorge
2020-01-06 11:21         ` Michael Tremer
2020-01-22 20:35           ` Tim FitzGeorge
2020-01-23 10:53             ` Michael Tremer
     [not found] <6583305a-cd0d-94a5-aa8e-5456622de824@tfitzgeorge.me.uk>
2019-12-18 12:07 ` Michael Tremer
2019-12-21 18:34   ` Tim FitzGeorge
2019-12-24 10:29     ` Michael Tremer
2019-12-28 20:59     ` Tim FitzGeorge
     [not found] <aeb93668-a4b6-5735-1f68-fd53cafa2210@tfitzgeorge.me.uk>
2020-01-06 11:27 ` Michael Tremer
2020-01-24 19:40   ` Tim FitzGeorge
2020-01-28 17:14     ` Michael Tremer
2020-01-29 20:40       ` Tim FitzGeorge
2020-01-30 12:54         ` Michael Tremer
2020-01-30 20:24           ` Tim FitzGeorge
2020-01-30 21:26             ` Michael Tremer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20e899be-8ec0-c27a-a0ae-82b92332faab@ipfire.org \
    --to=peter.mueller@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox