Re: Status emails and IP Blocklists

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2597 bytes --]

Hey,

> On 2 Dec 2018, at 12:08, Peter Müller <peter.mueller(a)link38.eu> wrote:
> 
> Hello Michael,
> 
>> Hey,
>> 
>>> On 1 Dec 2018, at 20:18, Peter Müller <peter.mueller(a)link38.eu> wrote:
>>> 
>>> Hello Tim, hello Michael,
>>> 
>>>> 
>>>>> The second addon handles the setting up and updating of IP Address
>>>>> Blocklists in the firewall.  It includes options to select which lists
>>>>> to use, and some control over how frequently to check for updates.
>>>> 
>>>> I guess Peter might be quite excited about this :)
>>> I _am_ excited about this indeed. Especially the "Emerging FW" combined
>>> list sounds very interesting. Dropping bogon traffic is also a good
>>> idea, as it prevents some hijacked BGP allocation stuff.
>>> 
>>>> 
>>>> I personally do not have much use for this, but again, why should this not
>>>> become part of IPFire?
>>>> 
>>> @Michael: Why do you have no use for this? Speaking about the mentioned
>>> Emerging FW list, enabling it as a default sounds reasonable to me. Networks
>>> listed there usually are so bad one even does not want to route or peer
>>> to it (DROP = Don't route or peer). :-)
>> 
>> Well, that one maybe :) I forgot that we could use this on the IPFire
>> Infrastructure…
> Spamhaus SBL also covers networks listed in DROP (return code: 127.0.0.9),
> so we already have it in use there. Further, our mail server rejects messages
> relayed through such an IP at some point. Needless to say, direct delivery
> attempts from an IP listed anywhere at Spamhaus are rejected.
> 
> See /etc/rspamd/local.d/force_actions.conf and https://www.spamhaus.org/faq/section/DROP%20FAQ#435
> for details.

I know, but I meant for outgoing connections...

>> 
>> I am not sure if this should be enabled by default. We deliberately do not
>> ship the firewall in the most secure way it is possible. Then, we would not
>> allow any traffic to pass whatsoever, but it makes the setup rather difficult
>> and you might be running into unexpected issues.
>> 
>> But we should strongly recommend enabling this.
> Okay.
>> 
>>> Could we enable the bogon list as a default for dial-up interfaces in
>>> IPFire 3.x ?
>> 
>> Not only dial-up, but this probably would not be a dynamic list, but
>> rather a substantial part of the firewall.
> ACK.
> 
> Thanks, and best regards,
> Peter Müller
> -- 
> Microsoft DNS service terminates abnormally when it recieves a response
> to a DNS query that was never made.  Fix Information: Run your DNS
> service on a different platform.
> 		-- bugtraq