Re: [PATCH 0/5] ipblacklist: IP Address Blacklists

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 5324 bytes --]



> On 22 Jan 2020, at 20:35, Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk> wrote:
> 
> Hello Michael,
> 
> On 06/01/2020 11:21, Michael Tremer wrote:
>> Hello Tim,
>> 
>>> On 28 Dec 2019, at 21:17, Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk> wrote:
>>> 
>>> Hi,
>>> 
>>> Having decided that we'll categorise the lists, the question is what
>>> categories to use.  They need to be:
>>> 
>>> - Short (to fit on the screen)
>>> - Easily translatable
>>> - and above all, useful.
>>> 
>>> Looking at the lists the obvious categories are:
>>> 
>>> - Invalid Address (on the public internet)
>>> 	BOGON, BOGON_FULL
>>> 
>>> - Scanner (not by itself malicious)
>>> 	SHODAN
>>> 
>>> - Application (potentially unwanted)
>>> 	TOR_ALL, TOR_EXIT
>>> 
>>> - Malware C & C
>>> 	FEODO_RECOMMENDED, FEODO_IP, FEODO_AGGRESIVE
>>> 
>>> - Composite
>>> 	EMERGING_FWRULE
>> 
>> I like all these a lot.
>> 
>>> Less obvious are:
>>> 
>>> - Reputation
>>> 	ALIENVAULT, CIARMY, SPAMHAUS_DROP, SPAMHAUS_EDROP
>>> 
>>> - Attacks
>>> 	BLOCKLIST_DE, DSHIELD, EMERGING_COMPROMISED
>> 
>> I even like those two, although I would potentially consider merging
> “Invalid Address” and Reputation. They are kind of the same to me. IP
> addresses I under no circumstances I want to talk to.
> 
> I think I'd rather keep them separate, since conceptually they're rather
> different.  Also, if your red interface has a private address, you
> definitely wouldn't want to enable these lists.

Yes, that makes sense.

> 
>> 
>> I also like the Attacks category, although the name is very generic.
> But I cannot come up with anything better. The only thing that might be
> worth considering is to merge it with Malware and just call it “Malicious”.
> 
> I suspect that anything more specific that Attacks is going to only
> describe a single list.  It's (unfortunately) a catch-all category for
> anything that doesn't fit better somewhere else.
> 
> I'd rather not merge it with Malware C&C since the behaviour of the two
> is rather different - under most circumstances lists in this category
> shouldn't block any packets, whereas the Attacks category is expected to
> block a lot of inbound traffic.

I can follow your argument and I am all for it.

However I am not sure if this is obvious from the category names. Instead of wasting too much time thinking about them (because I am sure that we can slice this cake in many different ways) I am okay with what you proposed if everybody else is.

-Michael

> 
>> 
>>> I'm not sure that the distinction between these two is going to be
>>> helpful to most people (I'm not sure I understand it myself).
>>> 
>>> We could use:
>>> 
>>> - Top attackers
>>> 	DSHIELD, EMERGING_COMPROMISED, SPAMHAUS_DROP, SPAMHAUS_EDROP
>>> 
>>> - Other attackers
>>> 	ALIENVAULT, BLOCKLIST_DE, CIARMY
>>> 
>>> but that might be making a distinction that is better made by the user.
>> 
>> Agreed. It is not obvious why some are top attackers and others are not.
>> 
>> So I would 100% prefer the first option from above.
>> 
>> Best,
>> -Michael
>> 
> 
> Tim
> 
>>> 
>>> Any opinions?
>>> 
>>> Tim
>>> 
>>> 
>>> On 18/12/2019 12:10, Michael Tremer wrote:
>>>> Hi,
>>>> 
>>>>> On 16 Dec 2019, at 23:05, Tom Rymes <trymes(a)rymes.com> wrote:
>>>>> 
>>>>> On 12/16/2019 5:20 PM, Michael Tremer wrote:> Hi,
>>>>>> 
>>>>>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge
> <lists(a)tfitzgeorge.me.uk> wrote:
>>>>>>> 
>>>>>>> Hi,
>>>>>>> 
>>>>>>> I've attached the current GUI screenshot.
>>>>>> 
>>>>>> Thanks for that.
>>>>>> 
>>>>>> I have a couple of suggestions/concerns about it:
>>>>> 
>>>>> [snip]
>>>>> 
>>>>>> c) I would suggest to remove the “safe” column because that is a
> very hard summary of what the lists do. We should explain that on the
> wiki. I guess this is too complicated to explain to our users in one
> sentence and it needs at least a page of text. People who do not read
> that have you just lost out.
>>>>> 
>>>>> [snip]
>>>>> 
>>>>> May I opine that the "Safe" information would be helpful to me in
> the WUI. Perhaps we can be more explicit, or better explain, such as is
> often done with RBLs in mail server settings, where lists are sometimes
> described in terms of their likelihood to cause false-positives.
>>>>> 
>>>>> It's all well and good in the documentation, but a quick
> "Safe|Moderate|Risky" listing in the WUI will prove handy, IMHO.
>>>>> 
>>>>> Just my $0.02 as more of a user than a developer,
>>>> 
>>>> I appreciate your input, but I still disagree with is that we take
> the decision if something is “risky” or not. There are too many things
> that need to be taken into account to make that decision and it probably
> varies for each user.
>>>> 
>>>> What I take from your comment though is that we should categorise
> the lists, and that is something we can do.
>>>> 
>>>> We can add a headline to the table and group the lists by “Blocking
> ambiguous packets”, “Blocking Malware”, etc.
>>>> 
>>>> That makes it easier for the user to decide which lists are
> interesting or even necessary depending on what they want to achieve.
>>>> 
>>>> How is that?
>>>> 
>>>> -Michael
>>>> 
>>>>> 
>>>>> Tom