From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH 0/5] ipblacklist: IP Address Blacklists Date: Mon, 25 Nov 2019 21:09:00 +0000 Message-ID: <20e899be-8ec0-c27a-a0ae-82b92332faab@ipfire.org> In-Reply-To: <20191125201309.10840-1-ipfr@tfitzgeorge.me.uk> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1012224457049660539==" List-Id: --===============1012224457049660539== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Tim, thank you very much for providing this patchset. After having read through it, I consider this being an extremely helpful addition to IPFire, especially when it comes to dropping bogon and unallocated prefixes - which can be safely enabled by default as far as I am concerned. Unfortunately, I am currently busy, so please give me a few days for having a closer look at all these patches. :-) Just a footnote: The DShield/ISC SANS feed is also available at http://feeds.dshield.org/block.txt , which seems to be the preferred location for fetching the file (I believe https://www.dshield.org/block.txt exists for compatibility reasons). blocklist.de (https://lists.blocklist.de/lists/all.txt) might be another interesting data feed; I will hand in patches for it as soon yours were accepted. Many thanks again, and best regards, Peter M=C3=BCller > Implements downloading of IP address blacklists and implementing > them as IPSets. A separate IPSet is used for each blacklist; this > simplifies handling of overlaps between different lists. Traffic > to or from the red0/ppp0 interface is checked against the IPSets. > The check is placed before the IPS check as the IPSet check is > much lighter on CPU use which means that overall CPU use is > reduced. >=20 > The available lists are defined in a separate file. A WUI page > allows the desired lists to be enabled and the interval between > checks for updates to be defined. A minimum update check interval > is defined for each blacklist in the definition file. >=20 > Optionally, an automatically updating blacklist can be enabled. > This adds addresses to an IPSet if the rate of packets dropped by > the default red0/ppp0 input policy exceeds a user defined threshold. > The addresses are kept in the IPSet until a user defined period > without packets from the blocked address has passed. >=20 > Tim FitzGeorge (5): > ipblacklist: Main script > ipblacklist: WUI and language file > ipblacklist: Ancillary files > ipblacklist: Modifications to system > ipblacklist: Build infrastructure >=20 > config/backup/backup.pl | 1 + > config/backup/include | 2 + > config/firewall/firewall-policy | 5 + > config/ipblacklist/sources | 151 +++ > config/logwatch/ipblacklist | 103 ++ > config/logwatch/ipblacklist.conf | 34 + > config/menu/50-firewall.menu | 5 + > config/rootfiles/common/aarch64/stage2 | 1 + > config/rootfiles/common/configroot | 2 + > config/rootfiles/common/ipblacklist-sources | 1 + > config/rootfiles/common/logwatch | 2 + > config/rootfiles/common/misc-progs | 2 + > config/rootfiles/common/stage2 | 1 + > config/rootfiles/common/web-user-interface | 1 + > config/rootfiles/common/x86_64/stage2 | 1 + > html/cgi-bin/ipblacklist.cgi | 725 +++++++++++++ > html/cgi-bin/logs.cgi/log.dat | 2 + > langs/en/cgi-bin/en.pl | 31 + > lfs/configroot | 4 +- > lfs/ipblacklist-sources | 53 + > lfs/logwatch | 2 + > make.sh | 11 +- > src/initscripts/system/firewall | 20 + > src/misc-progs/Makefile | 2 +- > src/misc-progs/getipsetstat.c | 28 + > src/misc-progs/ipblacklistctrl.c | 52 + > src/scripts/ipblacklist | 1558 +++++++++++++++++++++++= ++++ > 27 files changed, 2792 insertions(+), 8 deletions(-) > create mode 100644 config/ipblacklist/sources > create mode 100644 config/logwatch/ipblacklist > create mode 100644 config/logwatch/ipblacklist.conf > create mode 100644 config/rootfiles/common/ipblacklist-sources > create mode 100644 html/cgi-bin/ipblacklist.cgi > create mode 100644 lfs/ipblacklist-sources > create mode 100644 src/misc-progs/getipsetstat.c > create mode 100644 src/misc-progs/ipblacklistctrl.c > create mode 100755 src/scripts/ipblacklist >=20 --===============1012224457049660539==--