From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 0/5] ipblacklist: IP Address Blacklists Date: Thu, 23 Jan 2020 10:53:30 +0000 Message-ID: <2B1113EB-06AA-4464-A133-6808DF0D7399@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3924941886327692705==" List-Id: --===============3924941886327692705== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On 22 Jan 2020, at 20:35, Tim FitzGeorge wrote: >=20 > Hello Michael, >=20 > On 06/01/2020 11:21, Michael Tremer wrote: >> Hello Tim, >>=20 >>> On 28 Dec 2019, at 21:17, Tim FitzGeorge wrote: >>>=20 >>> Hi, >>>=20 >>> Having decided that we'll categorise the lists, the question is what >>> categories to use. They need to be: >>>=20 >>> - Short (to fit on the screen) >>> - Easily translatable >>> - and above all, useful. >>>=20 >>> Looking at the lists the obvious categories are: >>>=20 >>> - Invalid Address (on the public internet) >>> BOGON, BOGON_FULL >>>=20 >>> - Scanner (not by itself malicious) >>> SHODAN >>>=20 >>> - Application (potentially unwanted) >>> TOR_ALL, TOR_EXIT >>>=20 >>> - Malware C & C >>> FEODO_RECOMMENDED, FEODO_IP, FEODO_AGGRESIVE >>>=20 >>> - Composite >>> EMERGING_FWRULE >>=20 >> I like all these a lot. >>=20 >>> Less obvious are: >>>=20 >>> - Reputation >>> ALIENVAULT, CIARMY, SPAMHAUS_DROP, SPAMHAUS_EDROP >>>=20 >>> - Attacks >>> BLOCKLIST_DE, DSHIELD, EMERGING_COMPROMISED >>=20 >> I even like those two, although I would potentially consider merging > =E2=80=9CInvalid Address=E2=80=9D and Reputation. They are kind of the same= to me. IP > addresses I under no circumstances I want to talk to. >=20 > I think I'd rather keep them separate, since conceptually they're rather > different. Also, if your red interface has a private address, you > definitely wouldn't want to enable these lists. Yes, that makes sense. >=20 >>=20 >> I also like the Attacks category, although the name is very generic. > But I cannot come up with anything better. The only thing that might be > worth considering is to merge it with Malware and just call it =E2=80=9CMal= icious=E2=80=9D. >=20 > I suspect that anything more specific that Attacks is going to only > describe a single list. It's (unfortunately) a catch-all category for > anything that doesn't fit better somewhere else. >=20 > I'd rather not merge it with Malware C&C since the behaviour of the two > is rather different - under most circumstances lists in this category > shouldn't block any packets, whereas the Attacks category is expected to > block a lot of inbound traffic. I can follow your argument and I am all for it. However I am not sure if this is obvious from the category names. Instead of = wasting too much time thinking about them (because I am sure that we can slic= e this cake in many different ways) I am okay with what you proposed if every= body else is. -Michael >=20 >>=20 >>> I'm not sure that the distinction between these two is going to be >>> helpful to most people (I'm not sure I understand it myself). >>>=20 >>> We could use: >>>=20 >>> - Top attackers >>> DSHIELD, EMERGING_COMPROMISED, SPAMHAUS_DROP, SPAMHAUS_EDROP >>>=20 >>> - Other attackers >>> ALIENVAULT, BLOCKLIST_DE, CIARMY >>>=20 >>> but that might be making a distinction that is better made by the user. >>=20 >> Agreed. It is not obvious why some are top attackers and others are not. >>=20 >> So I would 100% prefer the first option from above. >>=20 >> Best, >> -Michael >>=20 >=20 > Tim >=20 >>>=20 >>> Any opinions? >>>=20 >>> Tim >>>=20 >>>=20 >>> On 18/12/2019 12:10, Michael Tremer wrote: >>>> Hi, >>>>=20 >>>>> On 16 Dec 2019, at 23:05, Tom Rymes wrote: >>>>>=20 >>>>> On 12/16/2019 5:20 PM, Michael Tremer wrote:> Hi, >>>>>>=20 >>>>>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge > wrote: >>>>>>>=20 >>>>>>> Hi, >>>>>>>=20 >>>>>>> I've attached the current GUI screenshot. >>>>>>=20 >>>>>> Thanks for that. >>>>>>=20 >>>>>> I have a couple of suggestions/concerns about it: >>>>>=20 >>>>> [snip] >>>>>=20 >>>>>> c) I would suggest to remove the =E2=80=9Csafe=E2=80=9D column because= that is a > very hard summary of what the lists do. We should explain that on the > wiki. I guess this is too complicated to explain to our users in one > sentence and it needs at least a page of text. People who do not read > that have you just lost out. >>>>>=20 >>>>> [snip] >>>>>=20 >>>>> May I opine that the "Safe" information would be helpful to me in > the WUI. Perhaps we can be more explicit, or better explain, such as is > often done with RBLs in mail server settings, where lists are sometimes > described in terms of their likelihood to cause false-positives. >>>>>=20 >>>>> It's all well and good in the documentation, but a quick > "Safe|Moderate|Risky" listing in the WUI will prove handy, IMHO. >>>>>=20 >>>>> Just my $0.02 as more of a user than a developer, >>>>=20 >>>> I appreciate your input, but I still disagree with is that we take > the decision if something is =E2=80=9Crisky=E2=80=9D or not. There are too = many things > that need to be taken into account to make that decision and it probably > varies for each user. >>>>=20 >>>> What I take from your comment though is that we should categorise > the lists, and that is something we can do. >>>>=20 >>>> We can add a headline to the table and group the lists by =E2=80=9CBlock= ing > ambiguous packets=E2=80=9D, =E2=80=9CBlocking Malware=E2=80=9D, etc. >>>>=20 >>>> That makes it easier for the user to decide which lists are > interesting or even necessary depending on what they want to achieve. >>>>=20 >>>> How is that? >>>>=20 >>>> -Michael >>>>=20 >>>>>=20 >>>>> Tom --===============3924941886327692705==--