From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Status emails and IP Blocklists Date: Sun, 02 Dec 2018 12:10:17 +0000 Message-ID: <253EF983-B498-4E02-A794-6D1698D16AE7@ipfire.org> In-Reply-To: <82f1331b-1f20-b071-56dc-060bfed62432@link38.eu> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3751601436638374647==" List-Id: --===============3751601436638374647== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey, > On 2 Dec 2018, at 12:08, Peter M=C3=BCller wrot= e: >=20 > Hello Michael, >=20 >> Hey, >>=20 >>> On 1 Dec 2018, at 20:18, Peter M=C3=BCller wr= ote: >>>=20 >>> Hello Tim, hello Michael, >>>=20 >>>>=20 >>>>> The second addon handles the setting up and updating of IP Address >>>>> Blocklists in the firewall. It includes options to select which lists >>>>> to use, and some control over how frequently to check for updates. >>>>=20 >>>> I guess Peter might be quite excited about this :) >>> I _am_ excited about this indeed. Especially the "Emerging FW" combined >>> list sounds very interesting. Dropping bogon traffic is also a good >>> idea, as it prevents some hijacked BGP allocation stuff. >>>=20 >>>>=20 >>>> I personally do not have much use for this, but again, why should this n= ot >>>> become part of IPFire? >>>>=20 >>> @Michael: Why do you have no use for this? Speaking about the mentioned >>> Emerging FW list, enabling it as a default sounds reasonable to me. Netwo= rks >>> listed there usually are so bad one even does not want to route or peer >>> to it (DROP =3D Don't route or peer). :-) >>=20 >> Well, that one maybe :) I forgot that we could use this on the IPFire >> Infrastructure=E2=80=A6 > Spamhaus SBL also covers networks listed in DROP (return code: 127.0.0.9), > so we already have it in use there. Further, our mail server rejects messag= es > relayed through such an IP at some point. Needless to say, direct delivery > attempts from an IP listed anywhere at Spamhaus are rejected. >=20 > See /etc/rspamd/local.d/force_actions.conf and https://www.spamhaus.org/faq= /section/DROP%20FAQ#435 > for details. I know, but I meant for outgoing connections... >>=20 >> I am not sure if this should be enabled by default. We deliberately do not >> ship the firewall in the most secure way it is possible. Then, we would not >> allow any traffic to pass whatsoever, but it makes the setup rather diffic= ult >> and you might be running into unexpected issues. >>=20 >> But we should strongly recommend enabling this. > Okay. >>=20 >>> Could we enable the bogon list as a default for dial-up interfaces in >>> IPFire 3.x ? >>=20 >> Not only dial-up, but this probably would not be a dynamic list, but >> rather a substantial part of the firewall. > ACK. >=20 > Thanks, and best regards, > Peter M=C3=BCller > --=20 > Microsoft DNS service terminates abnormally when it recieves a response > to a DNS query that was never made. Fix Information: Run your DNS > service on a different platform. > -- bugtraq --===============3751601436638374647==--