From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 0/5] ipblacklist: IP Address Blacklists Date: Thu, 30 Jan 2020 21:26:04 +0000 Message-ID: <81298A5A-9D19-4CEB-83A0-AD9A6A3100B8@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1732148411823286687==" List-Id: --===============1732148411823286687== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 30 Jan 2020, at 20:24, Tim FitzGeorge wrote: >=20 > Hi, >=20 > On 30/01/2020 12:54, Michael Tremer wrote: >> Hi, >>=20 >>> On 29 Jan 2020, at 20:40, Tim FitzGeorge wrote: >>>=20 >>> Hi, >>>=20 >>> On 28/01/2020 17:14, Michael Tremer wrote: >>>> Hi, >>>>=20 >>>> Apologies for my late reply again. I marked this email in my inbox and t= hen it scrolled down because of loads of new stuff coming in. Please feel fre= e to ping me if I do not respond in time. >>>=20 >>> That's OK. It took me a little longer than expected to check the patches. >>>>=20 >>>>> On 24 Jan 2020, at 19:40, Tim FitzGeorge wro= te: >>>>>=20 >>>>> I'm now nearly ready to submit the updated patches, but before then I'd >>>>> like to check that you're happy with some of my design decisions. >>>>=20 >>>> Cool. >>>>=20 >>>>> _IPTables_Chains_ >>>>>=20 >>>>> When setting up the firewall (in iptables_init()), four new chains are >>>>> created, IPBLACKLISTIN, IPBLACKLISTOUT, IPBLACKLISTREDIN and >>>>> IPBLACKLISTREDOUT. The first two are inserted into the INPUT, OUTPUT >>>>> and FORWARD chains, before the IPS chains. The main script is called to >>>>> restore the previously saved blacklists, creating the rules in the >>>>> latter two chains. >>>>=20 >>>> For readability you can simply call them BLACKLIST*. The IP is a given. >>>=20 >>> Good point. I'll make the change. >>>=20 >>>>=20 >>>>> In iptables_red_up(), rules are created to forward traffic to/from the >>>>> red interface from IPBLACKLISTIN/IPBLACKLISTOUT to >>>>> IPBLACKLISTREDIN/IPBLACKLISTREDOUT. >>>>> I did consider putting the blacklist rules into the >>>>> IPBLACKLISTIN/IPBLACKLISTOUT, but this couldn't be done until red comes >>>>> up and would require much more processing at this point - not a problem >>>>> if your red interface comes up and stays up, but if you've got one that >>>>> disconnects on no traffic you probably don't want the extra overhead. >>>>> The way I've done it also has the side effects of 1) the main script >>>>> doesn't have to worry about what the red interface is, and 2) if you're >>>>> using multiple blacklists, the check for the red interface is only done >>>>> once. >>>>=20 >>>> You would only want to check the interface once and then jump into the c= hain. Can we not realise it that way? >>>=20 >>> I'm not sure what you're suggesting. >>> I insert BLACKLISTIN into INPUT & FORWARD and BLACKLISTOUT into OUTPUT & >>> FORWARD. These receive all non-ICMP traffic. On red up traffic from >>> the red interface is sent from BLACKLISTIN to BLACKLISTREDIN and traffic >>> to the red interface is sent from BLACKLISTOUT to BLACKLISTREDOUT. >>> The rules to check against the IPSets are put into the *RED* chain, >>> checking against the source or destination addresses as appropriate. >>=20 >> This sounds very complicated to me. >>=20 >> Why can we not check this in BLACKLISTIN/OUT? >=20 > Unfortunately at that point in the setup the red interface in > /var/ipfire/red/iface is not always set, so it's not possible to check > the interface when creating the rules to jump to BLACKLISTIN/OUT. Yes, I agree with the delayed initialisation of that chain. But where is the difference between the two chains here? You would add rules like this: iptables -A BLACKLISTIN -i $RED -m set --set some-blacklist src -j REJECT Those can go into BLACKLISTIN. There is no point in jumping into BLACKLISTRED= IN first and then having this rule: iptables -A BLACKLISTREDIN -m set --set some-blacklist src -j REJECT > It would be possible to delay creating the rules to check against the > IPSets until red comes up and then check the interface in the individual > blacklist rules, but that duplicates the interface check. The current > arrangement is the best I've come up with. The interface check is cheap. It is an integer. I suppose jumping to another = chain is worse, but not by much. >=20 >>=20 >>>>=20 >>>>> _Log_WUI_Pages_ >>>>>=20 >>>>> The two Log WUI pages are edited from existing pages. I've resisted the >>>>> temptation to reformat them, which means that they can be diff'ed with >>>>> the corresponding pages. >>>>=20 >>>> Loads of the UI code is messy and deliberately not touched any more. I g= uess this is fine. >>>=20 >>> Yes, it's not pretty, but it is pragmatic. >>>>=20 >>>>> _Update_ >>>>>=20 >>>>> The update is fairly simple - it calculates whether the check period is >>>>> passed, tries a download specifying the If-Modified-Since and parses the >>>>> returned file. It then compares the new list with the existing list, >>>>> adding new addresses/networks and deleting those that have been removed. >>>>> There's a check to handle a list changing from a list of addresses to a >>>>> list of networks, in which case it changes the type of the IPSet - this >>>>> should be a vary rare event, but could happen for a composite list. >>>>=20 >>>> Why do you need the diff? Has that been in the first patchset? >>>=20 >>> It was, yes. >>>=20 >>> Originally I did it for performance. It took over a minute to process >>> the ALIENVAULT list (over 80 000 entries); just calling ipset with >>> changes reduced this to a few seconds. I've since modified the code to >>> pipe commands to a process running 'ipset restore', which has >>> drastically speed up the processing, but it's still a little bit quicker >>> to just do changes. >>>=20 >>> The second reason is that it doesn't feel right to flush the old list, >>> thus removing its protection while the new one is loaded, especially if >>> the new list is the same as the old list (not all sources implement >>> IP-Modified-Since). The actual period of reduced protection may be >>> short, but I prefer to avoid it. >>=20 >> Okay. I was hoping that the =E2=80=9Cipset restore=E2=80=9D update would f= lush and add everything again in one large atomic operation. >=20 > It would be possible to send a 'flush' command to 'ipset restore', but > the blacklists still have to be read and then the entries turned into > the correct 'add' commands. There's also some additional processing to > handle the hash type changing (between hash:ip and hash:net) and also > for the size growing too large for the size of the IPSet. By the time > this is all done, I don't think that there's any advantage to be gained > in doing a flush followed by a bulk load of everything. >>=20 >>>>=20 >>>> Just reloading the whole ipset should be easier. >>>>=20 >>>>> _Enabling/Disabling_Blacklists_ >>>>>=20 >>>>> For changes to the existing firewall rules, the firewall is shut down >>>>> and restarted from scratch. The blacklist script does this on the fly, >>>>> since the possibilities are simpler than all the options available for >>>>> the firewall and also the necessary code for doing updates means that >>>>> adding this code is fairly simple. This includes turning logging on and >>>>> off. >>>>=20 >>>> What do you mean by that? /etc/init.d/firewall restart? >>>>=20 >>>> That is something we cannot do because IPsec and some other services cre= ate temporary rules that would be lost. >>>=20 >>> No. I'm actually trying to say the opposite (badly). The existing >>> IPFire code only implements some firewall changes by shutting down and >>> restarting the firewall, but all the IP Blacklist functions >>> (enable/disable/update lists, enable/disable logging) can be done >>> without this - the necessary rules can be added to/deleted from the >>> BLACKLISTRED* chains without affecting any of the rest of the firewall >>> system. >>=20 >> Ah cool. That is how it needs to be. >>=20 >> -Michael >>=20 >>> Tim >>=20 >> P.S. Is there actually a reason why you do not have a shell account on our= servers and host your changed on our git server? I am not sure if I ever off= ered you one, but it would help me a lot to have a look at the code in a git = repo :) >=20 > You haven't previously offered me one (or I can't remember it anyway). > I think it would make sense given the moderately large amount of code. Okay, I will contact you privately about this. Sorry for not doing this earli= er. Best, -Michael >=20 > Tim >>=20 >>>=20 >>>>=20 >>>>> _Logging_ >>>>>=20 >>>>> The main scripts logs to syslog as ipblacklist, but if you run it from >>>>> the command line it'll also output to the terminal. >>>>> There's also some debug code which can be turned on by setting a value >>>>> in the settings file - it's turned on at the lowest level automatically >>>>> if you run from the command line. >>>>=20 >>>> Yes that is fine. >>>>=20 >>>> Best, >>>> -Michael >>>>=20 >>>>> Tim >>>>>=20 >>>>> On 06/01/2020 11:27, Michael Tremer wrote: >>>>>> Hello all, >>>>>>=20 >>>>>>> On 4 Jan 2020, at 19:02, Tim FitzGeorge wr= ote: >>>>>>>=20 >>>>>>> Hello, >>>>>>>=20 >>>>>>> I've now updated the code - screenshots are attached. >>>>>>>=20 >>>>>>> IP_Address_Blacklists.png >>>>>>>=20 >>>>>>> This is the settings page. I don't think there's anything unexpected= here. >>>>>>=20 >>>>>> Yes, that looks a lot like the other IPFire pages :) >>>>>>=20 >>>>>>> IP_Address_Blacklist_Logs.png >>>>>>>=20 >>>>>>> The log page, replacing the status information that was previously at >>>>>>> the top of the settings page. >>>>>>=20 >>>>>> Looks great! >>>>>>=20 >>>>>>> I've sorted the lists alphabetically, rather than by the number of hi= ts >>>>>>> since the worst threat is not necessary the largest number of blocked >>>>>>> packets (which could implied by sorting it by number). >>>>>>=20 >>>>>> Yes, that is indeed a very good idea. >>>>>>=20 >>>>>> You could add a % sign in the percentage column, so it cannot be confu= sed so easily with the other column. >>>>>>=20 >>>>>>> Firewall_log_blacklist.png >>>>>>>=20 >>>>>>> Details page accessed from the log. Almost identical to the other >>>>>>> similar pages. >>>>>>=20 >>>>>> *thumbs up* >>>>>>=20 >>>>>>> Log_Summary.png >>>>>>>=20 >>>>>>> This is an extract from the Log Summary page produced by logwatch. >>>>>>>=20 >>>>>>> I still need to do some tidying, remove unused language strings etc., >>>>>>> and then update and test the patches, so it'll be some time before I'm >>>>>>> ready to submit updated patches. >>>>>>=20 >>>>>> Feel free to send some RFC to the list. It might be slightly noisy, bu= t it is easier to review changes bit after bit. >>>>>>=20 >>>>>> Great great work! >>>>>>=20 >>>>>> -Michael >>>>>>=20 >>>>>>>=20 >>>>>>> Tim >>>>>>>=20 >>>>>>> On 28/12/2019 20:59, Tim FitzGeorge wrote: >>>>>>>> Hi, >>>>>>>>=20 >>>>>>>> I'll code and test what we've agreed on. In the meantime I'm going = to >>>>>>>> reply on the sub-thread started by Tom Rymes as to what we call the = list >>>>>>>> categories, so that we can keep that discussion separate from further >>>>>>>> functionality etc. discussion. >>>>>>>>=20 >>>>>>>> Tim >>>>>>>>=20 >>>>>>>> On 21/12/2019 18:34, Tim FitzGeorge wrote: >>>>>>>>> Hi, >>>>>>>>>=20 >>>>>>>>> I've got my systems checking for downloads at 15 minute intervals a= nd >>>>>>>>> using If-Modified-Since. This all seems to be working OK. >>>>>>>>>=20 >>>>>>>>> Responses to comments below: >>>>>>>>>=20 >>>>>>>>> On 18/12/2019 12:07, Michael Tremer wrote: >>>>>>>>>> Hi, >>>>>>>>>>=20 >>>>>>>>>>> On 17 Dec 2019, at 18:21, Tim FitzGeorge wrote: >>>>>>>>>>>=20 >>>>>>>>>>> Hi, >>>>>>>>>>>=20 >>>>>>>>>>> I think we've agreed on the following: >>>>>>>>>>>=20 >>>>>>>>>>> - Checks to be made every 15 minutes, subject to per-list minimum= rate. >>>>>>>>>>> - Modify download to use If-Modified-Since rather than separate H= EAD >>>>>>>>>>> request. >>>>>>>>>>> - Remove automatic blacklist. >>>>>>>>>>=20 >>>>>>>>>> I thought someone wants to counter my argument. This is not a dict= atorship :) >>>>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>> other comments are below. >>>>>>>>>>>=20 >>>>>>>>>>> Tim >>>>>>>>>>>=20 >>>>>>>>>>> On 16/12/2019 22:20, Michael Tremer wrote: >>>>>>>>>>>> Hi, >>>>>>>>>>>>=20 >>>>>>>>>>>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge wrote: >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Hi, >>>>>>>>>>>>>=20 >>>>>>>>>>>>> I've attached the current GUI screenshot. >>>>>>>>>>>>=20 >>>>>>>>>>>> Thanks for that. >>>>>>>>>>>>=20 >>>>>>>>>>>> I have a couple of suggestions/concerns about it: >>>>>>>>>>>>=20 >>>>>>>>>>>> a) I am not sure what the value is about the top box that is cal= led =E2=80=9CStatus=E2=80=9D. It is basically a summary of the iptables outpu= t, but will it help the user? A blacklist with more or fewer entries is not b= etter or worse, blocking more packets isn=E2=80=99t better than blocking fewe= r. It is about the quality of the blocks. >>>>>>>>>>>=20 >>>>>>>>>>> I agree that the size of the lists is not all that useful, but the >>>>>>>>>>> information about the number of blocked packets can be an indicat= ion of >>>>>>>>>>> compromise. It depends on the type of the list, but a list that = targets >>>>>>>>>>> C&C channels (e.g. the FEODO lists) should not show any input pac= kets >>>>>>>>>>> being blocked, unless one of the computers being protected is inf= ected. >>>>>>>>>>> Apart from the BOGON lists, none of the lists should show any out= put >>>>>>>>>>> packets being blocked; again it's a potential indication of infec= tion if >>>>>>>>>>> otherwise. >>>>>>>>>>=20 >>>>>>>>>> The Shodan list will definitely show some activity unless you are = behind CG NAT. >>>>>>>>>>=20 >>>>>>>>>> Should we not have this rather in the logging section? >>>>>>>>>>=20 >>>>>>>>>> And these counters here will be reset when the firewall is being r= eloaded. Should this data therefore not be collected from the logs so that yo= u can go back in time? That would be very important to identify any start of = compromise. >>>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>> That makes sense. I'll remove the status from this page and create= a >>>>>>>>> log page for the information. If anyone actually wants the iptables >>>>>>>>> information it's available in from Firewall > iptables anyway. >>>>>>>>>=20 >>>>>>>>> Do you think it makes more sense to show packets blocked in/out or >>>>>>>>> packets blocked per source interface? The latter would of (limited) >>>>>>>>> help in tracking down potential compromise. >>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> b) I would prefer to move the settings box to the top. If you li= ke you can show the size of the blacklists there and when they have been upda= ted, too. >>>>>>>>>>>=20 >>>>>>>>>>> I put the status at the top since it's usually what I want to see= when I >>>>>>>>>>> go to the page. Under normal circumstances I don't change the se= ttings, >>>>>>>>>>> so I'd rather not have to scroll past them to get to the informat= ion I'm >>>>>>>>>>> actually interested in. The update times are just useful to show= that >>>>>>>>>>> the lists are actually being updated. The size is interesting to= me, >>>>>>>>>>> but as you say it probably won't help the average user, especiall= y if >>>>>>>>>>> you don't know which lists block individual addresses and which b= lock >>>>>>>>>>> nets (BOGON, DSHIELD and EMERGING_COMPROMISED). >>>>>>>>>>=20 >>>>>>>>>> See my comment on the order above. Splitting the page might make s= ense. >>>>>>>>>>=20 >>>>>>>>>> When you show size, does that mean lines in the blacklists? So it = could be networks or single IP addresses? Does it not make sense to count IP = addresses (i.e. 256 for a /24 network and so on) and put it in the table? >>>>>>>>> It's lines in the blacklist. >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> I think I would only be interested in the size for two things: >>>>>>>>>>=20 >>>>>>>>>> a) Is there any chance for overblocking? i.e. does the list have 2= billion entries which would be half the public IPv4 address space or so. I c= annot really come up with a good example here. >>>>>>>>>>=20 >>>>>>>>>> Or >>>>>>>>>>=20 >>>>>>>>>> b) What is the performance impact/memory consumption of the list? >>>>>>>>>=20 >>>>>>>>> It would be interesting to show the type (single address or net), n= umber >>>>>>>>> of entries and number of addresses; the first two affect performanc= e, >>>>>>>>> the second memory use and the latter the number of blocked addresse= s, >>>>>>>>> but that's really only going to be of interest to a very small numb= er of >>>>>>>>> people, who can always do 'ipset list -t' to get the information. = So >>>>>>>>> I'll remove the size column. >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>>> I originally had the status and settings in one list, but I decid= ed that >>>>>>>>>>> it was getting a bit messy and difficult to follow. I've attache= d a >>>>>>>>>>> screenshot of a quickly hacked page. (Note that the status area = only >>>>>>>>>>> appears once the blacklists have been enabled.) >>>>>>>>>>=20 >>>>>>>>>> You are right. This is getting quite tight there. >>>>>>>>>>=20 >>>>>>>>>> You could write packets in/out into on column like 2k/1023, but se= e my concerns about this above. >>>>>>>>>=20 >>>>>>>>> Actually I've come to the conclusion that the number of bytes block= ed >>>>>>>>> isn't all that important; it's sufficient to show the number of pac= kets. >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> c) I would suggest to remove the =E2=80=9Csafe=E2=80=9D column b= ecause that is a very hard summary of what the lists do. We should explain th= at on the wiki. I guess this is too complicated to explain to our users in on= e sentence and it needs at least a page of text. People who do not read that = have you just lost out. >>>>>>>>>>>=20 >>>>>>>>>>> I agree that it's it's an over simplistic summary of the lists. = I note >>>>>>>>>>> that Tom Rymes has asked to keep it, but I think its only value i= s if it >>>>>>>>>>> suggests to users that things are more complicated than they appe= ar and >>>>>>>>>>> therefore prompts them to read the Wiki. >>>>>>>>>>=20 >>>>>>>>>> I will reply to that separately. >>>>>>>>>=20 >>>>>>>>> Looking at that reply, I think it makes sense to include a category >>>>>>>>> column in both the settings and the log summary page - the former to >>>>>>>>> help selection of which lists to use, and the latter as a help when >>>>>>>>> deciding whether the information could indicate compromise or not. >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> d) I do not understand what the =E2=80=9Cupdate check rate=E2=80= =9D means. I suppose we should show the update interval of the lists in the t= able and just refresh them according to that. >>>>>>>>>>>=20 >>>>>>>>>>> It's the minimum check period for updates. The system checks for >>>>>>>>>>> updates at either the rate specific to the list or this rate, whi= chever >>>>>>>>>>> is slower. This is a hangover from the early days, copied from t= he IPS >>>>>>>>>>> updates. I suppose it could have a value for some people who may= wish >>>>>>>>>>> to lower the check rate, but I'm not sure that it has sufficient = value >>>>>>>>>>> to be worth keeping. >>>>>>>>>>=20 >>>>>>>>>> No, I would not let the user decide when and how often to update t= he lists. >>>>>>>>>=20 >>>>>>>>> OK. I'll remove it. >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> Generally there is this argument internally how often some databas= es should be updated. People with slow internet connections or volume based d= ata plans will find this rather expensive to update those lists too often. >>>>>>>>>>=20 >>>>>>>>>> If we ever want to go ahead with that in IPFire 2, there should be= a global switch for a =E2=80=9Clow data mode=E2=80=9D which then delays upda= ting these things. >>>>>>>>>=20 >>>>>>>>> That makes sense. Maybe also the ability to set when downloads take >>>>>>>>> place - but as you say that's for the future. >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>>>>=20 >>>>>>>>>>>> e) Do we want to keep the automatic blacklists now? I do not thi= nk it will actually improve the security of IPFire. >>>>>>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>> I'll remove them. I think they do have a use, in that they can d= etect >>>>>>>>>>> someone doing a port scan and block them before they find an open= port, >>>>>>>>>>> but as you say there is also the possibility of a DOS. >>>>>>>>>>=20 >>>>>>>>>> How would this block a DOS? >>>>>>>>>=20 >>>>>>>>> Sorry, I didn't make myself clear - there's the possibility that so= meone >>>>>>>>> could cause a DOS with the automatic list by faking the source IP >>>>>>>>> address and sending a few packets on a random port. >>>>>>>>>=20 >>>>>>>>>>=20 >>>>>>>>>> -Michael >>>>>>>>>=20 >>>>>>>>> Tim >>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> I'll update the code based on our discussions, and submit an up= dated set >>>>>>>>>>>>> of patches - I imagine there will have to be at least one more = iteration. >>>>>>>>>>>>=20 >>>>>>>>>>>> Let=E2=80=99s wait until we have come to decisions :) >>>>>>>>>>>>=20 >>>>>>>>>>>> -Michael >>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> Tim >>>>>>>>>>>>>=20 >>>>>>>>>>>>> (No additional comments below) >>>>>>>>>>>>>=20 >>>>>>>>>>>>> On 13/12/2019 23:11, Michael Tremer wrote: >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Again my apologies for my late reply. Busy busy weeks. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> On 8 Dec 2019, at 20:50, Tim FitzGeorge wrote: >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> It's my turn to apologise for being slow to respond - I've ha= d a busy >>>>>>>>>>>>>>> week, but I should have plenty of time over the next couple o= f weeks. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> No worries. Turns out we all do :) >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> I've made most of the comments inline, however I think Michae= l had a >>>>>>>>>>>>>>> question (which I can't find now) about what happens if someo= ne enables >>>>>>>>>>>>>>> all the lists. One thing which would perhaps make this less = likely is >>>>>>>>>>>>>>> that the WUI tags the available lists with whether they're sa= fe or not, >>>>>>>>>>>>>>> with a footnote that safe means that the list only blocks mal= icious >>>>>>>>>>>>>>> traffic. This won't guarantee that a user won't still try to= enable all >>>>>>>>>>>>>>> the lists, but it should make them realise that they should t= hink first. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> We had a couple of features going slightly wrong or being =E2= =80=9Cmisunderstood=E2=80=9D by some users. People still seem to panic when t= hey see =E2=80=9Clocal recursor=E2=80=9D. To this day I do not know why. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> We cannot make everything idiot-proof. And when some user if o= f that category, they probably should shutdown their IPFire box, educate them= selves and then come back again. So I do not want to limit people, but make t= hings as easy as possible. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> If someone enables all the lists, good luck with passing packe= ts :) >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> I have considered replacing this tag with a risk high/medium/= low and >>>>>>>>>>>>>>> maybe adding a category (invalid/application/scanner/C&C or s= omething >>>>>>>>>>>>>>> like that), but that may provide too much information and dis= suade them >>>>>>>>>>>>>>> from actually following the links to checkout what the list a= ctually does. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Can we have a screenshot of the GUI right now? I didn=E2=80=99= t run the code, yet. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> We should document the lists like we do it with the rulesets o= f the IPS. People might ignore this, but that is on them. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Tim >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> On 05/12/2019 22:25, Michael Tremer wrote: >>>>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> On 4 Dec 2019, at 17:05, Peter M=C3=BCller wrote: >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Hello Tim, hello Michael, >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> please see my responses inline... >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> We could periodically update the blacklists on our main = mirror (and >>>>>>>>>>>>>>>>>>>> wait for the network to sync it), make sure it is signed= and write >>>>>>>>>>>>>>>>>>>> a small downloader that fetches, validates and installs = them. >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> @All: Thoughts on this? >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> I think there are a number of points here. >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> Firstly, from the point of a third party using IPFire, is= this really >>>>>>>>>>>>>>>>>>> solving the privacy disclosure problem? There's no way r= ound disclosing >>>>>>>>>>>>>>>>>>> your public IP address to someone you're downloading from= ; all this does >>>>>>>>>>>>>>>>>>> is change who that information is being disclosed to. Fo= r the user >>>>>>>>>>>>>>>>>>> there's no way of knowing whether the source is more or l= ess protective >>>>>>>>>>>>>>>>>>> of the user's privacy than the blacklist provider. Indee= d it won't be >>>>>>>>>>>>>>>>>>> possible to know who the lists are being downloaded from = until the >>>>>>>>>>>>>>>>>>> download starts. >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> There is a way: Tor. But that is a totally different story. >>>>>>>>>>>>>>>>> Well, I see a third option on this: Use the mirror infrastr= ucture we already >>>>>>>>>>>>>>>>> have. Every IPFire installation discloses its public IP add= ress to one of these >>>>>>>>>>>>>>>>> servers sooner or later, so we do not disclose additional d= ata if the blacklists >>>>>>>>>>>>>>>>> were fetched from these. >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Needless to say, Tor (hidden services) would be better, but= that is a different >>>>>>>>>>>>>>>>> story indeed. :-) >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> The point is rather that a forget list can be sent instead= of the =E2=80=9Creal=E2=80=9D one. >>>>>>>>>>>>>>>>> I did not get this. Forget? Forged?? ??? >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> Yes, I meant to write forged, but auto-correct didn=E2=80=99= t let me. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> Secondly, latency; some of the lists are updated every 5 = minutes. While >>>>>>>>>>>>>>>>>>> I've limited the maximum check rate to hourly, will the u= pdates >>>>>>>>>>>>>>>>>>> propagate quickly enough. For reference on my main syste= m the 24 >>>>>>>>>>>>>>>>>>> updates on the CIARMY list made 143 498 changes (addition= s or >>>>>>>>>>>>>>>>>>> deletions). I've seem it do over 200 000. >>>>>>>>>>>>>>>>> Yes, I observe that behaviour for CINS/CIArmy too. Unfortun= ately, they do not >>>>>>>>>>>>>>>>> document a recommended update interval anywhere, so we can = only guess. >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Personally, more static lists seem to be preferable for pac= ket filtering. Highly >>>>>>>>>>>>>>>>> dynamic ones such as CIArmy should be done via DNSBL querie= s or something similar >>>>>>>>>>>>>>>>> - do we really want to have that list here? >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> It is not really an option to implement a DNSBL into a packe= t filter, but I get your point. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> One of the 'selling points' for an IP address blacklist is th= at it can >>>>>>>>>>>>>>> respond quickly to new threats - or rather new attackers. Wh= ile a new >>>>>>>>>>>>>>> IDS/IPS rule needs time to analyse the threat, generate a rul= e and check >>>>>>>>>>>>>>> it, it's easy to add an address to a list. So, I think the C= IArmy list >>>>>>>>>>>>>>> is potentially useful for protecting home systems etc. with b= udget >>>>>>>>>>>>>>> hardware, but I would be very careful about using it for a pr= otecting a >>>>>>>>>>>>>>> general access website. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> If they are very volatile, we should honour that and update th= em often, too. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> It probably is more about false-positives being removed very q= uickly instead of adding threats very quickly. The average IPFire user is pro= bably not under threats like these to need to react very quickly. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> So I do not see much value in adding those lists and then upda= ting once a day. Does it have to be every 5 min? No. I would suggest 15 which= should be good enough for everyone. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Other lists should of course not be updated every 15 minutes w= hen not needed. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Running every 15 minutes would allow us to retry downloading l= ists that are on an hourly schedule if the download failed. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> How did you come up with the hour? Will it be retried more= often if the download was not successful? >>>>>>>>>>>>>>>>> One hour is the most common interval indeed, but adding som= e random time might >>>>>>>>>>>>>>>>> be useful in order to reduce load on the servers providing = a blacklist. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> Yes, definitely. Otherwise we will shoot down our mirrors. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> When I implemented that section of code, specifying the minim= um check >>>>>>>>>>>>>>> period in hours seemed to provide a convenient way of allowin= g a check >>>>>>>>>>>>>>> period covering a wide range, with an hour as the fastest and= a week as >>>>>>>>>>>>>>> the slowest. I didn't looked at the CIArmy list until much l= ater. Most >>>>>>>>>>>>>>> of the lists don't change nearly as much, but the CIArmy list= is >>>>>>>>>>>>>>> described as one that deliberately responds quickly. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> From my production system, for yesterday: >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> The following block lists were updated: >>>>>>>>>>>>>>> BLOCKLIST_DE: 24 Time(s) - 9341 change(s) >>>>>>>>>>>>>>> BOGON_FULL: 1 Time(s) - 10 change(s) >>>>>>>>>>>>>>> CIARMY: 24 Time(s) - 159134 change(s) >>>>>>>>>>>>>>> DSHIELD: 7 Time(s) - 18 change(s) >>>>>>>>>>>>>>> EMERGING_FWRULE: 1 Time(s) - 50 change(s) >>>>>>>>>>>>>>> FEODO_AGGRESIVE: 24 Time(s) - 13 change(s) >>>>>>>>>>>>>>> SHODAN: 1 Time(s) - 0 change(s) >>>>>>>>>>>>>>> SPAMHAUS_DROP: 1 Time(s) - 0 change(s) >>>>>>>>>>>>>>> TOR_EXIT: 24 Time(s) - 162 change(s) >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Very interesting statistics. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> and my test system: >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> The following block lists were updated: >>>>>>>>>>>>>>> ALIENVAULT: 19 Time(s) - 5331 change(s) >>>>>>>>>>>>>>> EMERGING_COMPROMISED: 1 Time(s) - 26 change(s) >>>>>>>>>>>>>>> TALOS_MALICIOUS: 1 Time(s) - 36 change(s) >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> That covers most of the lists. From the WUI, since 1 Dec: >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Blacklist Entries pkts bytes Last updated >>>>>>>>>>>>>>> in in >>>>>>>>>>>>>>> AUTOBLACKLIST 0 731 51144 Sun Dec 8 18:40:02 2019 >>>>>>>>>>>>>>> BLOCKLIST_DE 28020 857 46735 Sun Dec 8 18:40:02 2019 >>>>>>>>>>>>>>> BOGON_FULL 214 5255 189K Sun Dec 8 16:50:04 2019 >>>>>>>>>>>>>>> CIARMY 15000 19774 976K Sun Dec 8 18:04:01 2019 >>>>>>>>>>>>>>> DSHIELD 20 7992 321K Sun Dec 8 16:45:13 2019 >>>>>>>>>>>>>>> EMERGING_FWRULE 1647 197 8383 Fri Dec 6 05:29:07 2019 >>>>>>>>>>>>>>> FEODO_AGGRESIVE 7169 0 0 Sun Dec 8 18:50:07 2019 >>>>>>>>>>>>>>> SHODAN 32 34 1530 Sun Dec 8 17:54:09 2019 >>>>>>>>>>>>>>> SPAMHAUS_DROP 823 0 0 Fri Dec 6 18:22:35 2019 >>>>>>>>>>>>>>> SPAMHAUS_EDROP 111 82 16433 Thu Dec 5 17:27:09 2019 >>>>>>>>>>>>>>> TOR_EXIT 1055 0 0 Sun Dec 8 18:31:02 2019 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> This as well. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Those are more packets than I would have expected. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> (I've left out the pkts/bytes out fields which were all 0) >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Note that where possible I do a HEAD request first and then o= nly >>>>>>>>>>>>>>> download the list if the modification time has changed since = the last >>>>>>>>>>>>>>> check. For dynamically generated lists this isn't possible. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> You won=E2=80=99t need a HEAD request for it. You can include = it in the GET request. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> Have a look at location downloader where I use that. The serve= r will respond with 304 and not send any payload. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> https://git.ipfire.org/?p=3Dlocation/libloc.git;a=3Dblob;f=3Ds= rc/python/location-downloader.in;h=3D1b5932d5822e03737d32b2a27816815b2f7e74dd= ;hb=3DHEAD#l151 >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> If the download isn't successful it just gives up and waits f= or the next >>>>>>>>>>>>>>> attempt (apart from the usual retries in the library). I pro= bably >>>>>>>>>>>>>>> should to change that so that it only applies the per list mi= nimum >>>>>>>>>>>>>>> update period in this case (specified in the sources file) ra= ther than >>>>>>>>>>>>>>> the user specified value as well. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> I think it is not the worst if an update fails. It might just = happen every once in a while. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> So I would suggest to just re-run the script more often and wh= en the mtime of the file is older than the threshold, a download is attempted= . You can use that timestamp for the GET request. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> I already use a time offset on the downloads - when it's star= ted from >>>>>>>>>>>>>>> boot, backup restore or WUI enable, it checks to see if it's = installed >>>>>>>>>>>>>>> in the fcrontab, and if not adds itself at a randomly generat= ed offset >>>>>>>>>>>>>>> in the hour. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> That should potentially go to red.up, or if we can settle on 1= 5 minutes, I would consider that often enough to quickly update all lists aft= er a reboot. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> Third, bandwidth; while the downloads are fairly small (A= LIENVAULT is >>>>>>>>>>>>>>>>>>> the largest at a few MB), there are going to be a lot of = them. How will >>>>>>>>>>>>>>>>>>> this affect the willingness of people to mirror IPFire? >>>>>>>>>>>>>>>>> I do not consider this being a problem as we do not generat= e that much traffic >>>>>>>>>>>>>>>>> to them. Of course, that depends on the update interval aga= in. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> That depends on your point of view. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> I do not have a problem with this at all in my data center, = but there are plenty of people with a volume-based LTE plan or simply a 128 k= Bit/s connection. It will take a longer time to download the lists for them. = We need to mind that. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> Talking about the preference of packet filter and IPS, I= prefer to >>>>>>>>>>>>>>>>>>>> use the latter as well as it gains more insight in what = kind of malicious >>>>>>>>>>>>>>>>>>>> traffic tried to pass a firewall machine. On systems wit= h low resources, >>>>>>>>>>>>>>>>>>>> this might be problematic and removing load from the IPS= can be preferred >>>>>>>>>>>>>>>>>>>> (make this configurable?!), on others, people might want= to have both >>>>>>>>>>>>>>>>>>>> results. >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> You're only going to get one result for a packet whicheve= r way round the >>>>>>>>>>>>>>>>>>> IP blacklist and IPS are since whichever comes first will= drop the >>>>>>>>>>>>>>>>>>> packet before it reaches the second (well it would be pos= sible to put >>>>>>>>>>>>>>>>>>> the IP blacklist first and get it to log and mark packets= which are then >>>>>>>>>>>>>>>>>>> dropped after the IPS, but I think that's getting a littl= e complicated. >>>>>>>>>>>>>>>>>>> In addition I've seen the messages about the trouble mark= ing was >>>>>>>>>>>>>>>>>>> causing in the QoS). >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> I think it's a 50/50 choice as to which is more valuable = first; it's >>>>>>>>>>>>>>>>>>> probably going to differ from packet to packet. For me t= he possibility >>>>>>>>>>>>>>>>>>> of reducing the IPS load means I prefer putting the IP bl= acklist first >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> It should be fairly easy to add the choice of where to pu= t the IP >>>>>>>>>>>>>>>>>>> blacklist. I think it'll have to be in the main firewall= script, so >>>>>>>>>>>>>>>>>>> it'll require a firewall restart, but it's not something = that'll be >>>>>>>>>>>>>>>>>>> changed often. >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> I do not think that the user should choose this. If we can= not easily make a decision, how can our users do this? Not saying they are st= upid here, we are just giving them something so that they do not have to put = the thought and research into things themselves and make their jobs easier. >>>>>>>>>>>>>>>>> Agreed. >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> I think performance matters. And if the IPS comes first, t= he most likely case would be that we are seeing a SYN packet that is being sc= anned and after that being dropped by the blacklist. It was pointless to even= scan the empty packet (TCP fast open aside). This is only different for othe= r packets with payloads. >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> We would protect the IPS from a SYN flooding attack here a= t least and from scanning more packets unnecessarily. >>>>>>>>>>>>>>>>> So dropping packets from blacklisted IP addresses/networks = before IPS is it, then. >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> I do not even think it makes sense to swap the order in th= e outgoing direction. >>>>>>>>>>>>>>>>> Me too. >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> What IPFire is lacking is a statistical analysis for those= logs. Collecting more and more data isn=E2=80=99t helpful from my point of v= iew. Only if you are looking at a very specific thing.This is true, but I am = not sure if it makes sense to spend too much work on this. >>>>>>>>>>>>>>>>> Based on my personal experience, firewall hits observed on = a single machine exposed >>>>>>>>>>>>>>>>> to the internet are interesting, but the overall situation = across multiple machines >>>>>>>>>>>>>>>>> is even more interesting. Very quickly, you'll end on somet= hing like a centralised >>>>>>>>>>>>>>>>> logging server and custom statistical analysis here... >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> Probably a project for IPFire 4.0 :) >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Or use one of the existing services, like the DSHIELD client >>>>>>>>>>>>>>> https://dshield.org/howto.html (subject to privacy concerns a= gain). >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>>> Personally, I consider Spamhaus DROP/EDROP can be safely= enabled by default. >>>>>>>>>>>>>>>>>>>> I would love to see the bogon ruleset here, too (think a= bout 8chan successor >>>>>>>>>>>>>>>>>>>> hosted at unallocated RIPE space in Saint Petersburg), b= ut that will likely cause >>>>>>>>>>>>>>>>>>>> interference if RED does not have a public IP address as= signed. >>>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>>> I can add a field to the options file that controls wheth= er a list is >>>>>>>>>>>>>>>>>>> enabled by default. >>>>>>>>>>>>>>>>> Thank you. :-) >>>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>> To stress the point from above again: We would then share = all public IP addresses of all IPFire systems in the world with Spamhaus and = who is hosting their infrastructure. That can be considered a threat. >>>>>>>>>>>>>>>>> This is my only objection against this patchset. Now, what = can we do about it? >>>>>>>>>>>>>>>>> One possibility is to apply the patchset now and implement = a custom download >>>>>>>>>>>>>>>>> source thing later on, or do that before releasing Core Upd= ate 139 (or which version >>>>>>>>>>>>>>>>> the patchset will be to) after we agreed on something. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> I do not see this being merged for 139. But that is not impo= rtant. We need to get it right first and then release it. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> As far as I know, nobody has tested this, yet. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> There are a number of people who have been running an earlier= version >>>>>>>>>>>>>>> which I shared on GitHub. There were a few early issues, but= it seems >>>>>>>>>>>>>>> to be OK now. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> https://forum.ipfire.org/viewtopic.php?f=3D27&t=3D21845 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> This version wasn't integrated into IPFire, so (for example) = it inserted >>>>>>>>>>>>>>> itself into the INPUT IPTables chain rather than having it's = chains >>>>>>>>>>>>>>> created as part of the firewall start-up script. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> I have huge concerns about the automatic blacklist. @Peter: = What is your opinion on this? >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> While I implemented it, I'm aware of its potential to cause p= roblems, >>>>>>>>>>>>>>> which is why it has to be separately enabled. It's not cause= d me any >>>>>>>>>>>>>>> issues at the default settings (blocks at over 10 packets per= hour until >>>>>>>>>>>>>>> 1 hour has passed without seeing packets from the address), b= ut I've not >>>>>>>>>>>>>>> used it on a site with publicly announced services. If I was= going to >>>>>>>>>>>>>>> use it on a web site I would want to, at the very minimum, dr= op the >>>>>>>>>>>>>>> block period drastically. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> I suppose this is entirely unusable on an IPFire box in a data= center that hosts things. Let=E2=80=99s say our rack in Hanover. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> You will have hits from some broken IP stacks and people might= just end up on this without doing anything wrong. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> You can denial-of-service easily as well and I suppose without= aggregation of data from many many systems, it does not make sense to instan= tly block addresses. And even then you probably would block an entire subnet. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>> So I am not sure how I should feel about it. I do not think th= at it adds anything because the packets would have been blocked anyways. >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> On the other hand, it's good at responding quickly. Usually = I see only >>>>>>>>>>>>>>> 1-2% of blocks from the automatic list: >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> Reason Count % First Last >>>>>>>>>>>>>>> CIARMY 2416 45 Dec 6 00:00 Dec 6 23:59 >>>>>>>>>>>>>>> DSHIELD 1353 25 Dec 6 00:00 Dec 6 23:59 >>>>>>>>>>>>>>> INPUT 1294 24 Dec 6 00:00 Dec 6 23:59 >>>>>>>>>>>>>>> AUTOBLACKLIST 122 2 Dec 6 00:20 Dec 6 16:28 >>>>>>>>>>>>>>> BLOCKLIST_DE 89 2 Dec 6 00:20 Dec 6 23:46 >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> and sometimes none at all, but one one occasion it blocked ov= er 8000 >>>>>>>>>>>>>>> packets. Again I'm aware this is for a home system, which is= rather >>>>>>>>>>>>>>> different than from a Web server. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> If we do, I will have a look at the licensing stuff (DShiel= d and Spamhaus do not >>>>>>>>>>>>>>>>> seem to be problematic, as they are hosted on 3rd party ser= vers, too). >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> One of them will be, sooner or later. And one is enough I su= ppose. >>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>> DShield (https://dshield.org/api/#threatfeeds) and firehol >>>>>>>>>>>>>>> (http://iplists.firehol.org/) seem to host copies of most of = the lists >>>>>>>>>>>>>>> as well. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> I do not really want to overthink this - we didn=E2=80=99t d= o this with clamav for example either. But it probably is a decision to be ma= de by the user what they want to enable and we should not enable anything by = default. So no data will be leaked as long as the user does not consent. >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>> -Michael >>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>>=20 >>>>>>>>>>>>>>>>> Thanks, and best regards, >>>>>>>>>>>>>>>>> Peter M=C3=BCller >>>>>>>>>>>>>>=20 >>>>>>>>>>>>>=20 >>>>>>>>>>>>> >>>>>>>>>>>>=20 >>>>>>>>>>>=20 >>>>>>>>>>> >>>>>>>>>>=20 >>>>>>>>>=20 >>>>>>>>=20 >>>>>>>=20 >>>>>>> --===============1732148411823286687==--