From: "Peter Müller" <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: Re: Status emails and IP Blocklists
Date: Sun, 02 Dec 2018 13:08:59 +0100 [thread overview]
Message-ID: <82f1331b-1f20-b071-56dc-060bfed62432@link38.eu> (raw)
In-Reply-To: <C0C38A41-47DB-46E9-A177-38886D5F95FA@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2368 bytes --]
Hello Michael,
> Hey,
>
>> On 1 Dec 2018, at 20:18, Peter Müller <peter.mueller(a)link38.eu> wrote:
>>
>> Hello Tim, hello Michael,
>>
>>>
>>>> The second addon handles the setting up and updating of IP Address
>>>> Blocklists in the firewall. It includes options to select which lists
>>>> to use, and some control over how frequently to check for updates.
>>>
>>> I guess Peter might be quite excited about this :)
>> I _am_ excited about this indeed. Especially the "Emerging FW" combined
>> list sounds very interesting. Dropping bogon traffic is also a good
>> idea, as it prevents some hijacked BGP allocation stuff.
>>
>>>
>>> I personally do not have much use for this, but again, why should this not
>>> become part of IPFire?
>>>
>> @Michael: Why do you have no use for this? Speaking about the mentioned
>> Emerging FW list, enabling it as a default sounds reasonable to me. Networks
>> listed there usually are so bad one even does not want to route or peer
>> to it (DROP = Don't route or peer). :-)
>
> Well, that one maybe :) I forgot that we could use this on the IPFire
> Infrastructure…
Spamhaus SBL also covers networks listed in DROP (return code: 127.0.0.9),
so we already have it in use there. Further, our mail server rejects messages
relayed through such an IP at some point. Needless to say, direct delivery
attempts from an IP listed anywhere at Spamhaus are rejected.
See /etc/rspamd/local.d/force_actions.conf and https://www.spamhaus.org/faq/section/DROP%20FAQ#435
for details.
>
> I am not sure if this should be enabled by default. We deliberately do not
> ship the firewall in the most secure way it is possible. Then, we would not
> allow any traffic to pass whatsoever, but it makes the setup rather difficult
> and you might be running into unexpected issues.
>
> But we should strongly recommend enabling this.
Okay.
>
>> Could we enable the bogon list as a default for dial-up interfaces in
>> IPFire 3.x ?
>
> Not only dial-up, but this probably would not be a dynamic list, but
> rather a substantial part of the firewall.
ACK.
Thanks, and best regards,
Peter Müller
--
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made. Fix Information: Run your DNS
service on a different platform.
-- bugtraq
next prev parent reply other threads:[~2018-12-02 12:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1c66503b47593dd61f22167c559fe81cde60bf5c.camel@ipfire.org>
2018-12-01 20:18 ` Peter Müller
2018-12-02 11:12 ` Michael Tremer
2018-12-02 12:08 ` Peter Müller [this message]
2018-12-02 12:10 ` Michael Tremer
[not found] <c4c6137e-5f6a-8ee7-c36e-8deded18f28a@tfitzgeorge.me.uk>
2019-04-01 11:07 ` Michael Tremer
[not found] <745dc6bc-4ac4-8b43-415b-17c35d2fb219@tfitzgeorge.me.uk>
2018-12-01 19:46 ` Michael Tremer
2018-11-29 21:11 Tim FitzGeorge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=82f1331b-1f20-b071-56dc-060bfed62432@link38.eu \
--to=peter.mueller@link38.eu \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox