From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 0/5] ipblacklist: IP Address Blacklists Date: Mon, 06 Jan 2020 11:27:26 +0000 Message-ID: <28307984-A289-4568-8B89-50A7641003CD@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5889496251395065599==" List-Id: --===============5889496251395065599== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello all, > On 4 Jan 2020, at 19:02, Tim FitzGeorge wrote: >=20 > Hello, >=20 > I've now updated the code - screenshots are attached. >=20 > IP_Address_Blacklists.png >=20 > This is the settings page. I don't think there's anything unexpected here. Yes, that looks a lot like the other IPFire pages :) > IP_Address_Blacklist_Logs.png >=20 > The log page, replacing the status information that was previously at > the top of the settings page. Looks great! > I've sorted the lists alphabetically, rather than by the number of hits > since the worst threat is not necessary the largest number of blocked > packets (which could implied by sorting it by number). Yes, that is indeed a very good idea. You could add a % sign in the percentage column, so it cannot be confused so = easily with the other column. > Firewall_log_blacklist.png >=20 > Details page accessed from the log. Almost identical to the other > similar pages. *thumbs up* > Log_Summary.png >=20 > This is an extract from the Log Summary page produced by logwatch. >=20 > I still need to do some tidying, remove unused language strings etc., > and then update and test the patches, so it'll be some time before I'm > ready to submit updated patches. Feel free to send some RFC to the list. It might be slightly noisy, but it is= easier to review changes bit after bit. Great great work! -Michael >=20 > Tim >=20 > On 28/12/2019 20:59, Tim FitzGeorge wrote: >> Hi, >>=20 >> I'll code and test what we've agreed on. In the meantime I'm going to >> reply on the sub-thread started by Tom Rymes as to what we call the list >> categories, so that we can keep that discussion separate from further >> functionality etc. discussion. >>=20 >> Tim >>=20 >> On 21/12/2019 18:34, Tim FitzGeorge wrote: >>> Hi, >>>=20 >>> I've got my systems checking for downloads at 15 minute intervals and >>> using If-Modified-Since. This all seems to be working OK. >>>=20 >>> Responses to comments below: >>>=20 >>> On 18/12/2019 12:07, Michael Tremer wrote: >>>> Hi, >>>>=20 >>>>> On 17 Dec 2019, at 18:21, Tim FitzGeorge wro= te: >>>>>=20 >>>>> Hi, >>>>>=20 >>>>> I think we've agreed on the following: >>>>>=20 >>>>> - Checks to be made every 15 minutes, subject to per-list minimum rate. >>>>> - Modify download to use If-Modified-Since rather than separate HEAD >>>>> request. >>>>> - Remove automatic blacklist. >>>>=20 >>>> I thought someone wants to counter my argument. This is not a dictatorsh= ip :) >>>>=20 >>>>>=20 >>>>> other comments are below. >>>>>=20 >>>>> Tim >>>>>=20 >>>>> On 16/12/2019 22:20, Michael Tremer wrote: >>>>>> Hi, >>>>>>=20 >>>>>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge = wrote: >>>>>>>=20 >>>>>>> Hi, >>>>>>>=20 >>>>>>> I've attached the current GUI screenshot. >>>>>>=20 >>>>>> Thanks for that. >>>>>>=20 >>>>>> I have a couple of suggestions/concerns about it: >>>>>>=20 >>>>>> a) I am not sure what the value is about the top box that is called = =E2=80=9CStatus=E2=80=9D. It is basically a summary of the iptables output, b= ut will it help the user? A blacklist with more or fewer entries is not bette= r or worse, blocking more packets isn=E2=80=99t better than blocking fewer. I= t is about the quality of the blocks. >>>>>=20 >>>>> I agree that the size of the lists is not all that useful, but the >>>>> information about the number of blocked packets can be an indication of >>>>> compromise. It depends on the type of the list, but a list that targets >>>>> C&C channels (e.g. the FEODO lists) should not show any input packets >>>>> being blocked, unless one of the computers being protected is infected. >>>>> Apart from the BOGON lists, none of the lists should show any output >>>>> packets being blocked; again it's a potential indication of infection if >>>>> otherwise. >>>>=20 >>>> The Shodan list will definitely show some activity unless you are behind= CG NAT. >>>>=20 >>>> Should we not have this rather in the logging section? >>>>=20 >>>> And these counters here will be reset when the firewall is being reloade= d. Should this data therefore not be collected from the logs so that you can = go back in time? That would be very important to identify any start of compro= mise. >>>>=20 >>>=20 >>> That makes sense. I'll remove the status from this page and create a >>> log page for the information. If anyone actually wants the iptables >>> information it's available in from Firewall > iptables anyway. >>>=20 >>> Do you think it makes more sense to show packets blocked in/out or >>> packets blocked per source interface? The latter would of (limited) >>> help in tracking down potential compromise. >>>=20 >>>>>>=20 >>>>>> b) I would prefer to move the settings box to the top. If you like you= can show the size of the blacklists there and when they have been updated, t= oo. >>>>>=20 >>>>> I put the status at the top since it's usually what I want to see when I >>>>> go to the page. Under normal circumstances I don't change the settings, >>>>> so I'd rather not have to scroll past them to get to the information I'm >>>>> actually interested in. The update times are just useful to show that >>>>> the lists are actually being updated. The size is interesting to me, >>>>> but as you say it probably won't help the average user, especially if >>>>> you don't know which lists block individual addresses and which block >>>>> nets (BOGON, DSHIELD and EMERGING_COMPROMISED). >>>>=20 >>>> See my comment on the order above. Splitting the page might make sense. >>>>=20 >>>> When you show size, does that mean lines in the blacklists? So it could = be networks or single IP addresses? Does it not make sense to count IP addres= ses (i.e. 256 for a /24 network and so on) and put it in the table? >>> It's lines in the blacklist. >>>=20 >>>>=20 >>>> I think I would only be interested in the size for two things: >>>>=20 >>>> a) Is there any chance for overblocking? i.e. does the list have 2 billi= on entries which would be half the public IPv4 address space or so. I cannot = really come up with a good example here. >>>>=20 >>>> Or >>>>=20 >>>> b) What is the performance impact/memory consumption of the list? >>>=20 >>> It would be interesting to show the type (single address or net), number >>> of entries and number of addresses; the first two affect performance, >>> the second memory use and the latter the number of blocked addresses, >>> but that's really only going to be of interest to a very small number of >>> people, who can always do 'ipset list -t' to get the information. So >>> I'll remove the size column. >>>=20 >>>>=20 >>>>> I originally had the status and settings in one list, but I decided that >>>>> it was getting a bit messy and difficult to follow. I've attached a >>>>> screenshot of a quickly hacked page. (Note that the status area only >>>>> appears once the blacklists have been enabled.) >>>>=20 >>>> You are right. This is getting quite tight there. >>>>=20 >>>> You could write packets in/out into on column like 2k/1023, but see my c= oncerns about this above. >>>=20 >>> Actually I've come to the conclusion that the number of bytes blocked >>> isn't all that important; it's sufficient to show the number of packets. >>>=20 >>>>=20 >>>>>>=20 >>>>>> c) I would suggest to remove the =E2=80=9Csafe=E2=80=9D column because= that is a very hard summary of what the lists do. We should explain that on = the wiki. I guess this is too complicated to explain to our users in one sent= ence and it needs at least a page of text. People who do not read that have y= ou just lost out. >>>>>=20 >>>>> I agree that it's it's an over simplistic summary of the lists. I note >>>>> that Tom Rymes has asked to keep it, but I think its only value is if it >>>>> suggests to users that things are more complicated than they appear and >>>>> therefore prompts them to read the Wiki. >>>>=20 >>>> I will reply to that separately. >>>=20 >>> Looking at that reply, I think it makes sense to include a category >>> column in both the settings and the log summary page - the former to >>> help selection of which lists to use, and the latter as a help when >>> deciding whether the information could indicate compromise or not. >>>=20 >>>>=20 >>>>>>=20 >>>>>> d) I do not understand what the =E2=80=9Cupdate check rate=E2=80=9D me= ans. I suppose we should show the update interval of the lists in the table a= nd just refresh them according to that. >>>>>=20 >>>>> It's the minimum check period for updates. The system checks for >>>>> updates at either the rate specific to the list or this rate, whichever >>>>> is slower. This is a hangover from the early days, copied from the IPS >>>>> updates. I suppose it could have a value for some people who may wish >>>>> to lower the check rate, but I'm not sure that it has sufficient value >>>>> to be worth keeping. >>>>=20 >>>> No, I would not let the user decide when and how often to update the lis= ts. >>>=20 >>> OK. I'll remove it. >>>=20 >>>>=20 >>>> Generally there is this argument internally how often some databases sho= uld be updated. People with slow internet connections or volume based data pl= ans will find this rather expensive to update those lists too often. >>>>=20 >>>> If we ever want to go ahead with that in IPFire 2, there should be a glo= bal switch for a =E2=80=9Clow data mode=E2=80=9D which then delays updating t= hese things. >>>=20 >>> That makes sense. Maybe also the ability to set when downloads take >>> place - but as you say that's for the future. >>>=20 >>>>=20 >>>>>>=20 >>>>>> e) Do we want to keep the automatic blacklists now? I do not think it = will actually improve the security of IPFire. >>>>>>=20 >>>>>=20 >>>>> I'll remove them. I think they do have a use, in that they can detect >>>>> someone doing a port scan and block them before they find an open port, >>>>> but as you say there is also the possibility of a DOS. >>>>=20 >>>> How would this block a DOS? >>>=20 >>> Sorry, I didn't make myself clear - there's the possibility that someone >>> could cause a DOS with the automatic list by faking the source IP >>> address and sending a few packets on a random port. >>>=20 >>>>=20 >>>> -Michael >>>=20 >>> Tim >>>>=20 >>>>>>>=20 >>>>>>> I'll update the code based on our discussions, and submit an updated = set >>>>>>> of patches - I imagine there will have to be at least one more iterat= ion. >>>>>>=20 >>>>>> Let=E2=80=99s wait until we have come to decisions :) >>>>>>=20 >>>>>> -Michael >>>>>>=20 >>>>>>>=20 >>>>>>> Tim >>>>>>>=20 >>>>>>> (No additional comments below) >>>>>>>=20 >>>>>>> On 13/12/2019 23:11, Michael Tremer wrote: >>>>>>>> Hi, >>>>>>>>=20 >>>>>>>> Again my apologies for my late reply. Busy busy weeks. >>>>>>>>=20 >>>>>>>>> On 8 Dec 2019, at 20:50, Tim FitzGeorge = wrote: >>>>>>>>>=20 >>>>>>>>> Hello, >>>>>>>>>=20 >>>>>>>>> It's my turn to apologise for being slow to respond - I've had a bu= sy >>>>>>>>> week, but I should have plenty of time over the next couple of week= s. >>>>>>>>=20 >>>>>>>> No worries. Turns out we all do :) >>>>>>>>=20 >>>>>>>>> I've made most of the comments inline, however I think Michael had a >>>>>>>>> question (which I can't find now) about what happens if someone ena= bles >>>>>>>>> all the lists. One thing which would perhaps make this less likely= is >>>>>>>>> that the WUI tags the available lists with whether they're safe or = not, >>>>>>>>> with a footnote that safe means that the list only blocks malicious >>>>>>>>> traffic. This won't guarantee that a user won't still try to enabl= e all >>>>>>>>> the lists, but it should make them realise that they should think f= irst. >>>>>>>>=20 >>>>>>>> We had a couple of features going slightly wrong or being =E2=80=9Cm= isunderstood=E2=80=9D by some users. People still seem to panic when they see= =E2=80=9Clocal recursor=E2=80=9D. To this day I do not know why. >>>>>>>>=20 >>>>>>>> We cannot make everything idiot-proof. And when some user if of that= category, they probably should shutdown their IPFire box, educate themselves= and then come back again. So I do not want to limit people, but make things = as easy as possible. >>>>>>>>=20 >>>>>>>> If someone enables all the lists, good luck with passing packets :) >>>>>>>>=20 >>>>>>>>> I have considered replacing this tag with a risk high/medium/low and >>>>>>>>> maybe adding a category (invalid/application/scanner/C&C or somethi= ng >>>>>>>>> like that), but that may provide too much information and dissuade = them >>>>>>>>> from actually following the links to checkout what the list actuall= y does. >>>>>>>>=20 >>>>>>>> Can we have a screenshot of the GUI right now? I didn=E2=80=99t run = the code, yet. >>>>>>>>=20 >>>>>>>> We should document the lists like we do it with the rulesets of the = IPS. People might ignore this, but that is on them. >>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> Tim >>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> On 05/12/2019 22:25, Michael Tremer wrote: >>>>>>>>>> Hello, >>>>>>>>>>=20 >>>>>>>>>>> On 4 Dec 2019, at 17:05, Peter M=C3=BCller wrote: >>>>>>>>>>>=20 >>>>>>>>>>> Hello Tim, hello Michael, >>>>>>>>>>>=20 >>>>>>>>>>> please see my responses inline... >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> We could periodically update the blacklists on our main mirror= (and >>>>>>>>>>>>>> wait for the network to sync it), make sure it is signed and w= rite >>>>>>>>>>>>>> a small downloader that fetches, validates and installs them. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> @All: Thoughts on this? >>>>>>>>>>>>>=20 >>>>>>>>>>>>> I think there are a number of points here. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Firstly, from the point of a third party using IPFire, is this = really >>>>>>>>>>>>> solving the privacy disclosure problem? There's no way round d= isclosing >>>>>>>>>>>>> your public IP address to someone you're downloading from; all = this does >>>>>>>>>>>>> is change who that information is being disclosed to. For the = user >>>>>>>>>>>>> there's no way of knowing whether the source is more or less pr= otective >>>>>>>>>>>>> of the user's privacy than the blacklist provider. Indeed it w= on't be >>>>>>>>>>>>> possible to know who the lists are being downloaded from until = the >>>>>>>>>>>>> download starts. >>>>>>>>>>>>=20 >>>>>>>>>>>> There is a way: Tor. But that is a totally different story. >>>>>>>>>>> Well, I see a third option on this: Use the mirror infrastructure= we already >>>>>>>>>>> have. Every IPFire installation discloses its public IP address t= o one of these >>>>>>>>>>> servers sooner or later, so we do not disclose additional data if= the blacklists >>>>>>>>>>> were fetched from these. >>>>>>>>>>>=20 >>>>>>>>>>> Needless to say, Tor (hidden services) would be better, but that = is a different >>>>>>>>>>> story indeed. :-) >>>>>>>>>>>>=20 >>>>>>>>>>>> The point is rather that a forget list can be sent instead of th= e =E2=80=9Creal=E2=80=9D one. >>>>>>>>>>> I did not get this. Forget? Forged?? ??? >>>>>>>>>>=20 >>>>>>>>>> Yes, I meant to write forged, but auto-correct didn=E2=80=99t let = me. >>>>>>>>>>=20 >>>>>>>>>>>>> Secondly, latency; some of the lists are updated every 5 minute= s. While >>>>>>>>>>>>> I've limited the maximum check rate to hourly, will the updates >>>>>>>>>>>>> propagate quickly enough. For reference on my main system the = 24 >>>>>>>>>>>>> updates on the CIARMY list made 143 498 changes (additions or >>>>>>>>>>>>> deletions). I've seem it do over 200 000. >>>>>>>>>>> Yes, I observe that behaviour for CINS/CIArmy too. Unfortunately,= they do not >>>>>>>>>>> document a recommended update interval anywhere, so we can only g= uess. >>>>>>>>>>>=20 >>>>>>>>>>> Personally, more static lists seem to be preferable for packet fi= ltering. Highly >>>>>>>>>>> dynamic ones such as CIArmy should be done via DNSBL queries or s= omething similar >>>>>>>>>>> - do we really want to have that list here? >>>>>>>>>>=20 >>>>>>>>>> It is not really an option to implement a DNSBL into a packet filt= er, but I get your point. >>>>>>>>>=20 >>>>>>>>> One of the 'selling points' for an IP address blacklist is that it = can >>>>>>>>> respond quickly to new threats - or rather new attackers. While a = new >>>>>>>>> IDS/IPS rule needs time to analyse the threat, generate a rule and = check >>>>>>>>> it, it's easy to add an address to a list. So, I think the CIArmy = list >>>>>>>>> is potentially useful for protecting home systems etc. with budget >>>>>>>>> hardware, but I would be very careful about using it for a protecti= ng a >>>>>>>>> general access website. >>>>>>>>=20 >>>>>>>> If they are very volatile, we should honour that and update them oft= en, too. >>>>>>>>=20 >>>>>>>> It probably is more about false-positives being removed very quickly= instead of adding threats very quickly. The average IPFire user is probably = not under threats like these to need to react very quickly. >>>>>>>>=20 >>>>>>>> So I do not see much value in adding those lists and then updating o= nce a day. Does it have to be every 5 min? No. I would suggest 15 which shoul= d be good enough for everyone. >>>>>>>>=20 >>>>>>>> Other lists should of course not be updated every 15 minutes when no= t needed. >>>>>>>>=20 >>>>>>>> Running every 15 minutes would allow us to retry downloading lists t= hat are on an hourly schedule if the download failed. >>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>>>> How did you come up with the hour? Will it be retried more often= if the download was not successful? >>>>>>>>>>> One hour is the most common interval indeed, but adding some rand= om time might >>>>>>>>>>> be useful in order to reduce load on the servers providing a blac= klist. >>>>>>>>>>=20 >>>>>>>>>> Yes, definitely. Otherwise we will shoot down our mirrors. >>>>>>>>>=20 >>>>>>>>> When I implemented that section of code, specifying the minimum che= ck >>>>>>>>> period in hours seemed to provide a convenient way of allowing a ch= eck >>>>>>>>> period covering a wide range, with an hour as the fastest and a wee= k as >>>>>>>>> the slowest. I didn't looked at the CIArmy list until much later. = Most >>>>>>>>> of the lists don't change nearly as much, but the CIArmy list is >>>>>>>>> described as one that deliberately responds quickly. >>>>>>>>>=20 >>>>>>>>> From my production system, for yesterday: >>>>>>>>>=20 >>>>>>>>> The following block lists were updated: >>>>>>>>> BLOCKLIST_DE: 24 Time(s) - 9341 change(s) >>>>>>>>> BOGON_FULL: 1 Time(s) - 10 change(s) >>>>>>>>> CIARMY: 24 Time(s) - 159134 change(s) >>>>>>>>> DSHIELD: 7 Time(s) - 18 change(s) >>>>>>>>> EMERGING_FWRULE: 1 Time(s) - 50 change(s) >>>>>>>>> FEODO_AGGRESIVE: 24 Time(s) - 13 change(s) >>>>>>>>> SHODAN: 1 Time(s) - 0 change(s) >>>>>>>>> SPAMHAUS_DROP: 1 Time(s) - 0 change(s) >>>>>>>>> TOR_EXIT: 24 Time(s) - 162 change(s) >>>>>>>>=20 >>>>>>>> Very interesting statistics. >>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> and my test system: >>>>>>>>>=20 >>>>>>>>> The following block lists were updated: >>>>>>>>> ALIENVAULT: 19 Time(s) - 5331 change(s) >>>>>>>>> EMERGING_COMPROMISED: 1 Time(s) - 26 change(s) >>>>>>>>> TALOS_MALICIOUS: 1 Time(s) - 36 change(s) >>>>>>>>>=20 >>>>>>>>> That covers most of the lists. From the WUI, since 1 Dec: >>>>>>>>>=20 >>>>>>>>> Blacklist Entries pkts bytes Last updated >>>>>>>>> in in >>>>>>>>> AUTOBLACKLIST 0 731 51144 Sun Dec 8 18:40:02 2019 >>>>>>>>> BLOCKLIST_DE 28020 857 46735 Sun Dec 8 18:40:02 2019 >>>>>>>>> BOGON_FULL 214 5255 189K Sun Dec 8 16:50:04 2019 >>>>>>>>> CIARMY 15000 19774 976K Sun Dec 8 18:04:01 2019 >>>>>>>>> DSHIELD 20 7992 321K Sun Dec 8 16:45:13 2019 >>>>>>>>> EMERGING_FWRULE 1647 197 8383 Fri Dec 6 05:29:07 2019 >>>>>>>>> FEODO_AGGRESIVE 7169 0 0 Sun Dec 8 18:50:07 2019 >>>>>>>>> SHODAN 32 34 1530 Sun Dec 8 17:54:09 2019 >>>>>>>>> SPAMHAUS_DROP 823 0 0 Fri Dec 6 18:22:35 2019 >>>>>>>>> SPAMHAUS_EDROP 111 82 16433 Thu Dec 5 17:27:09 2019 >>>>>>>>> TOR_EXIT 1055 0 0 Sun Dec 8 18:31:02 2019 >>>>>>>>=20 >>>>>>>> This as well. >>>>>>>>=20 >>>>>>>> Those are more packets than I would have expected. >>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> (I've left out the pkts/bytes out fields which were all 0) >>>>>>>>>=20 >>>>>>>>> Note that where possible I do a HEAD request first and then only >>>>>>>>> download the list if the modification time has changed since the la= st >>>>>>>>> check. For dynamically generated lists this isn't possible. >>>>>>>>=20 >>>>>>>> You won=E2=80=99t need a HEAD request for it. You can include it in = the GET request. >>>>>>>>=20 >>>>>>>> Have a look at location downloader where I use that. The server will= respond with 304 and not send any payload. >>>>>>>>=20 >>>>>>>> https://git.ipfire.org/?p=3Dlocation/libloc.git;a=3Dblob;f=3Dsrc/pyt= hon/location-downloader.in;h=3D1b5932d5822e03737d32b2a27816815b2f7e74dd;hb=3D= HEAD#l151 >>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> If the download isn't successful it just gives up and waits for the= next >>>>>>>>> attempt (apart from the usual retries in the library). I probably >>>>>>>>> should to change that so that it only applies the per list minimum >>>>>>>>> update period in this case (specified in the sources file) rather t= han >>>>>>>>> the user specified value as well. >>>>>>>>=20 >>>>>>>> I think it is not the worst if an update fails. It might just happen= every once in a while. >>>>>>>>=20 >>>>>>>> So I would suggest to just re-run the script more often and when the= mtime of the file is older than the threshold, a download is attempted. You = can use that timestamp for the GET request. >>>>>>>>=20 >>>>>>>>> I already use a time offset on the downloads - when it's started fr= om >>>>>>>>> boot, backup restore or WUI enable, it checks to see if it's instal= led >>>>>>>>> in the fcrontab, and if not adds itself at a randomly generated off= set >>>>>>>>> in the hour. >>>>>>>>=20 >>>>>>>> That should potentially go to red.up, or if we can settle on 15 minu= tes, I would consider that often enough to quickly update all lists after a r= eboot. >>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>>>>> Third, bandwidth; while the downloads are fairly small (ALIENVA= ULT is >>>>>>>>>>>>> the largest at a few MB), there are going to be a lot of them. = How will >>>>>>>>>>>>> this affect the willingness of people to mirror IPFire? >>>>>>>>>>> I do not consider this being a problem as we do not generate that= much traffic >>>>>>>>>>> to them. Of course, that depends on the update interval again. >>>>>>>>>>=20 >>>>>>>>>> That depends on your point of view. >>>>>>>>>>=20 >>>>>>>>>> I do not have a problem with this at all in my data center, but th= ere are plenty of people with a volume-based LTE plan or simply a 128 kBit/s = connection. It will take a longer time to download the lists for them. We nee= d to mind that. >>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Talking about the preference of packet filter and IPS, I prefe= r to >>>>>>>>>>>>>> use the latter as well as it gains more insight in what kind o= f malicious >>>>>>>>>>>>>> traffic tried to pass a firewall machine. On systems with low = resources, >>>>>>>>>>>>>> this might be problematic and removing load from the IPS can b= e preferred >>>>>>>>>>>>>> (make this configurable?!), on others, people might want to ha= ve both >>>>>>>>>>>>>> results. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>> You're only going to get one result for a packet whichever way = round the >>>>>>>>>>>>> IP blacklist and IPS are since whichever comes first will drop = the >>>>>>>>>>>>> packet before it reaches the second (well it would be possible = to put >>>>>>>>>>>>> the IP blacklist first and get it to log and mark packets which= are then >>>>>>>>>>>>> dropped after the IPS, but I think that's getting a little comp= licated. >>>>>>>>>>>>> In addition I've seen the messages about the trouble marking was >>>>>>>>>>>>> causing in the QoS). >>>>>>>>>>>>>=20 >>>>>>>>>>>>> I think it's a 50/50 choice as to which is more valuable first;= it's >>>>>>>>>>>>> probably going to differ from packet to packet. For me the pos= sibility >>>>>>>>>>>>> of reducing the IPS load means I prefer putting the IP blacklis= t first >>>>>>>>>>>>>=20 >>>>>>>>>>>>> It should be fairly easy to add the choice of where to put the = IP >>>>>>>>>>>>> blacklist. I think it'll have to be in the main firewall scrip= t, so >>>>>>>>>>>>> it'll require a firewall restart, but it's not something that'l= l be >>>>>>>>>>>>> changed often. >>>>>>>>>>>>=20 >>>>>>>>>>>> I do not think that the user should choose this. If we cannot ea= sily make a decision, how can our users do this? Not saying they are stupid h= ere, we are just giving them something so that they do not have to put the th= ought and research into things themselves and make their jobs easier. >>>>>>>>>>> Agreed. >>>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> I think performance matters. And if the IPS comes first, the mos= t likely case would be that we are seeing a SYN packet that is being scanned = and after that being dropped by the blacklist. It was pointless to even scan = the empty packet (TCP fast open aside). This is only different for other pack= ets with payloads. >>>>>>>>>>>>=20 >>>>>>>>>>>> We would protect the IPS from a SYN flooding attack here at leas= t and from scanning more packets unnecessarily. >>>>>>>>>>> So dropping packets from blacklisted IP addresses/networks before= IPS is it, then. >>>>>>>>>>>>=20 >>>>>>>>>>>> I do not even think it makes sense to swap the order in the outg= oing direction. >>>>>>>>>>> Me too. >>>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> What IPFire is lacking is a statistical analysis for those logs.= Collecting more and more data isn=E2=80=99t helpful from my point of view. O= nly if you are looking at a very specific thing.This is true, but I am not su= re if it makes sense to spend too much work on this. >>>>>>>>>>> Based on my personal experience, firewall hits observed on a sing= le machine exposed >>>>>>>>>>> to the internet are interesting, but the overall situation across= multiple machines >>>>>>>>>>> is even more interesting. Very quickly, you'll end on something l= ike a centralised >>>>>>>>>>> logging server and custom statistical analysis here... >>>>>>>>>>=20 >>>>>>>>>> Probably a project for IPFire 4.0 :) >>>>>>>>>>=20 >>>>>>>>> Or use one of the existing services, like the DSHIELD client >>>>>>>>> https://dshield.org/howto.html (subject to privacy concerns again). >>>>>>>>>>>>=20 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Personally, I consider Spamhaus DROP/EDROP can be safely enabl= ed by default. >>>>>>>>>>>>>> I would love to see the bogon ruleset here, too (think about 8= chan successor >>>>>>>>>>>>>> hosted at unallocated RIPE space in Saint Petersburg), but tha= t will likely cause >>>>>>>>>>>>>> interference if RED does not have a public IP address assigned. >>>>>>>>>>>>>=20 >>>>>>>>>>>>> I can add a field to the options file that controls whether a l= ist is >>>>>>>>>>>>> enabled by default. >>>>>>>>>>> Thank you. :-) >>>>>>>>>>>>=20 >>>>>>>>>>>> To stress the point from above again: We would then share all pu= blic IP addresses of all IPFire systems in the world with Spamhaus and who is= hosting their infrastructure. That can be considered a threat. >>>>>>>>>>> This is my only objection against this patchset. Now, what can we= do about it? >>>>>>>>>>> One possibility is to apply the patchset now and implement a cust= om download >>>>>>>>>>> source thing later on, or do that before releasing Core Update 13= 9 (or which version >>>>>>>>>>> the patchset will be to) after we agreed on something. >>>>>>>>>>=20 >>>>>>>>>> I do not see this being merged for 139. But that is not important.= We need to get it right first and then release it. >>>>>>>>>>=20 >>>>>>>>>> As far as I know, nobody has tested this, yet. >>>>>>>>>=20 >>>>>>>>> There are a number of people who have been running an earlier versi= on >>>>>>>>> which I shared on GitHub. There were a few early issues, but it se= ems >>>>>>>>> to be OK now. >>>>>>>>>=20 >>>>>>>>> https://forum.ipfire.org/viewtopic.php?f=3D27&t=3D21845 >>>>>>>>>=20 >>>>>>>>> This version wasn't integrated into IPFire, so (for example) it ins= erted >>>>>>>>> itself into the INPUT IPTables chain rather than having it's chains >>>>>>>>> created as part of the firewall start-up script. >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> I have huge concerns about the automatic blacklist. @Peter: What i= s your opinion on this? >>>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> While I implemented it, I'm aware of its potential to cause problem= s, >>>>>>>>> which is why it has to be separately enabled. It's not caused me a= ny >>>>>>>>> issues at the default settings (blocks at over 10 packets per hour = until >>>>>>>>> 1 hour has passed without seeing packets from the address), but I'v= e not >>>>>>>>> used it on a site with publicly announced services. If I was going= to >>>>>>>>> use it on a web site I would want to, at the very minimum, drop the >>>>>>>>> block period drastically. >>>>>>>>=20 >>>>>>>> I suppose this is entirely unusable on an IPFire box in a data cente= r that hosts things. Let=E2=80=99s say our rack in Hanover. >>>>>>>>=20 >>>>>>>> You will have hits from some broken IP stacks and people might just = end up on this without doing anything wrong. >>>>>>>>=20 >>>>>>>> You can denial-of-service easily as well and I suppose without aggre= gation of data from many many systems, it does not make sense to instantly bl= ock addresses. And even then you probably would block an entire subnet. >>>>>>>>=20 >>>>>>>> So I am not sure how I should feel about it. I do not think that it = adds anything because the packets would have been blocked anyways. >>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> On the other hand, it's good at responding quickly. Usually I see = only >>>>>>>>> 1-2% of blocks from the automatic list: >>>>>>>>>=20 >>>>>>>>> Reason Count % First Last >>>>>>>>> CIARMY 2416 45 Dec 6 00:00 Dec 6 23:59 >>>>>>>>> DSHIELD 1353 25 Dec 6 00:00 Dec 6 23:59 >>>>>>>>> INPUT 1294 24 Dec 6 00:00 Dec 6 23:59 >>>>>>>>> AUTOBLACKLIST 122 2 Dec 6 00:20 Dec 6 16:28 >>>>>>>>> BLOCKLIST_DE 89 2 Dec 6 00:20 Dec 6 23:46 >>>>>>>>>=20 >>>>>>>>> and sometimes none at all, but one one occasion it blocked over 8000 >>>>>>>>> packets. Again I'm aware this is for a home system, which is rather >>>>>>>>> different than from a Web server. >>>>>>>>>=20 >>>>>>>>>>> If we do, I will have a look at the licensing stuff (DShield and = Spamhaus do not >>>>>>>>>>> seem to be problematic, as they are hosted on 3rd party servers, = too). >>>>>>>>>>=20 >>>>>>>>>> One of them will be, sooner or later. And one is enough I suppose. >>>>>>>>>=20 >>>>>>>>> DShield (https://dshield.org/api/#threatfeeds) and firehol >>>>>>>>> (http://iplists.firehol.org/) seem to host copies of most of the li= sts >>>>>>>>> as well. >>>>>>>>>>=20 >>>>>>>>>> I do not really want to overthink this - we didn=E2=80=99t do this= with clamav for example either. But it probably is a decision to be made by = the user what they want to enable and we should not enable anything by defaul= t. So no data will be leaked as long as the user does not consent. >>>>>>>>>>=20 >>>>>>>>>> -Michael >>>>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>> Thanks, and best regards, >>>>>>>>>>> Peter M=C3=BCller >>>>>>>>=20 >>>>>>>=20 >>>>>>> >>>>>>=20 >>>>>=20 >>>>> >>>>=20 >>>=20 >>=20 >=20 > --===============5889496251395065599==--