From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: IP Address Blacklists Date: Wed, 19 Feb 2020 19:43:08 +0100 Message-ID: <74f000b75d7f9c8ad9df5ce357bcef854343d134.camel@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3319961236092813132==" List-Id: --===============3319961236092813132== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Michael, Am Mittwoch, den 19.02.2020, 17:21 +0000 schrieb Michael Tremer: > Hi, >=20 > > On 19 Feb 2020, at 17:13, ummeegge wrote: > >=20 > > Hi Michael, > >=20 > > Am Mittwoch, den 19.02.2020, 11:52 +0000 schrieb Michael Tremer: > > > Hi, > > >=20 > > > > On 18 Feb 2020, at 16:49, ummeegge wrote: > > > >=20 > > > > Hi all, > > > >=20 > > > > Am Samstag, den 15.02.2020, 15:40 +0000 schrieb Tim FitzGeorge: > > > > > Hi, > > > > >=20 > > > > > I've pushed the my changes to implement IP Address Blacklists > > > > > to > > > > > the > > > > > repository at git://git.ipfire.org/people/timf/ipfire-2.x.git=20 > > > > > on > > > > > the > > > > > ipblacklist branch. > > > > >=20 > > > > > As a result of discussions with Michael, this has a number of > > > > > changes > > > > > from my first patch series: > > > > >=20 > > > > > - Removed autoblacklist. > > > > > - Added WUI log pages. > > > > > - Removed status from settings WUI page. > > > > > - Simplified download. > > > > > - Modified sources file 'rate' to allow unit to be specified. > > > > > - Updated sources file 'disable' to allow list to be > > > > > specified. > > > > > - Changed Dshield download URL to preferred address. > > > > > - Removed Abuse.ch blacklist (discontinued). > > > > > - Removed Talos Malicious blacklist (not appropriate). > > > > > - Added Feodo recommended blacklist. > > > > > - Added blocklist.de all blacklist. > > > > > - Updated ignored messages in logwatch. > > > > >=20 > > > > > There's also some additional code on the addresscheck branch > > > > > which > > > > > adds > > > > > a WUI page that can check why a URL or address is being > > > > > blocked. It's > > > > > not production ready, but may possibly be useful in testing. > > > > >=20 > > > > > Tim > > > >=20 > > > > thanks for your hard work here which looks great.=20 > > > > As far as i can see, there are no possiblities to add own > > > > lists. > > > > Might > > > > it be an idea for such a possibility ? I use currently e.g. > > > > lists > > > > from > > > > firehol --> http://iplists.firehol.org/ via script and IPSet. > > > > Am currently not sure how difficult it is to give the user > > > > there > > > > some > > > > individuality to choose it=C2=B4s own list ? > > >=20 > > > We currently do not allow this for the IPS either. > > >=20 > > > And I am not really sure if we should. Why would we not add the > > > lists > > > for all users if we see any value in them. > > >=20 > > > What reasons are there to allow users to do their own thing? > >=20 > > Use cases can be different e.g. i remeber a project in the old > > forum > > which was about a company blocker (facebook, Windows, Apple) or in > > general the whole telemetry stuff can also be unwanted and there > > are > > some lists out there which can help to block also the "good" ones. > > If > > there are own vast lists of unwanted IPs, IPSet which is working > > here, > > is then the best way to do so, therefor my idea to bring in some > > flexibility in this great project to prevent scripting around in > > parallel for, let=C2=B4s say, doing the same twice. >=20 > Is it not better to block the whole AS of those companies in the > firewall? The performance gain with IPSet causing the hash table can be significant -->=20 https://workshop.netfilter.org/2013/wiki/images/a/ab/Jozsef_Kadlecsik_ipset-o= sd-public.pdf#page=3D10 <-- haven=C2=B4t found some new performance tests but i thnk the results today are related close to another. Have experienced it by my own (with my ALIX back in the days) that the system was not usable after the try to handle some thousands IPs/CIDRs via IPTables (therefore i pushed IPSet at that time). Since this project delivers WUI access to IPSet, which is really great, beneath the really practical handling of block lists, some more advantages are may on the doorstep ?=20 We would have also a comparable design with the Proxy/URL-Filter whereby the user do also handle the challenge/possibility to upload/download/integrate own lists. Sorry for appearing may a little unhumble which i really do not want and am also really not sure how much more work that costs but wanted to bring on some ideas and am nonetheless thankful with the already made process. >=20 > >=20 > > >=20 > > > >=20 > > > > Best, > > > >=20 > > > > Erik > > > >=20 > > >=20 > > >=20 >=20 >=20 --===============3319961236092813132==--