Hey, > On 2 Dec 2018, at 12:08, Peter Müller wrote: > > Hello Michael, > >> Hey, >> >>> On 1 Dec 2018, at 20:18, Peter Müller wrote: >>> >>> Hello Tim, hello Michael, >>> >>>> >>>>> The second addon handles the setting up and updating of IP Address >>>>> Blocklists in the firewall. It includes options to select which lists >>>>> to use, and some control over how frequently to check for updates. >>>> >>>> I guess Peter might be quite excited about this :) >>> I _am_ excited about this indeed. Especially the "Emerging FW" combined >>> list sounds very interesting. Dropping bogon traffic is also a good >>> idea, as it prevents some hijacked BGP allocation stuff. >>> >>>> >>>> I personally do not have much use for this, but again, why should this not >>>> become part of IPFire? >>>> >>> @Michael: Why do you have no use for this? Speaking about the mentioned >>> Emerging FW list, enabling it as a default sounds reasonable to me. Networks >>> listed there usually are so bad one even does not want to route or peer >>> to it (DROP = Don't route or peer). :-) >> >> Well, that one maybe :) I forgot that we could use this on the IPFire >> Infrastructure… > Spamhaus SBL also covers networks listed in DROP (return code: 127.0.0.9), > so we already have it in use there. Further, our mail server rejects messages > relayed through such an IP at some point. Needless to say, direct delivery > attempts from an IP listed anywhere at Spamhaus are rejected. > > See /etc/rspamd/local.d/force_actions.conf and https://www.spamhaus.org/faq/section/DROP%20FAQ#435 > for details. I know, but I meant for outgoing connections... >> >> I am not sure if this should be enabled by default. We deliberately do not >> ship the firewall in the most secure way it is possible. Then, we would not >> allow any traffic to pass whatsoever, but it makes the setup rather difficult >> and you might be running into unexpected issues. >> >> But we should strongly recommend enabling this. > Okay. >> >>> Could we enable the bogon list as a default for dial-up interfaces in >>> IPFire 3.x ? >> >> Not only dial-up, but this probably would not be a dynamic list, but >> rather a substantial part of the firewall. > ACK. > > Thanks, and best regards, > Peter Müller > -- > Microsoft DNS service terminates abnormally when it recieves a response > to a DNS query that was never made. Fix Information: Run your DNS > service on a different platform. > -- bugtraq