Re: [PATCH 0/5] ipblacklist: IP Address Blacklists

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3849 bytes --]

Hello Tim,

> On 28 Dec 2019, at 21:17, Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk> wrote:
> 
> Hi,
> 
> Having decided that we'll categorise the lists, the question is what
> categories to use.  They need to be:
> 
> - Short (to fit on the screen)
> - Easily translatable
> - and above all, useful.
> 
> Looking at the lists the obvious categories are:
> 
> - Invalid Address (on the public internet)
> 	BOGON, BOGON_FULL
> 
> - Scanner (not by itself malicious)
> 	SHODAN
> 
> - Application (potentially unwanted)
> 	TOR_ALL, TOR_EXIT
> 
> - Malware C & C
> 	FEODO_RECOMMENDED, FEODO_IP, FEODO_AGGRESIVE
> 
> - Composite
> 	EMERGING_FWRULE

I like all these a lot.

> Less obvious are:
> 
> - Reputation
> 	ALIENVAULT, CIARMY, SPAMHAUS_DROP, SPAMHAUS_EDROP
> 
> - Attacks
> 	BLOCKLIST_DE, DSHIELD, EMERGING_COMPROMISED

I even like those two, although I would potentially consider merging “Invalid Address” and Reputation. They are kind of the same to me. IP addresses I under no circumstances I want to talk to.

I also like the Attacks category, although the name is very generic. But I cannot come up with anything better. The only thing that might be worth considering is to merge it with Malware and just call it “Malicious”.

> I'm not sure that the distinction between these two is going to be
> helpful to most people (I'm not sure I understand it myself).
> 
> We could use:
> 
> - Top attackers
> 	DSHIELD, EMERGING_COMPROMISED, SPAMHAUS_DROP, SPAMHAUS_EDROP
> 
> - Other attackers
> 	ALIENVAULT, BLOCKLIST_DE, CIARMY
> 
> but that might be making a distinction that is better made by the user.

Agreed. It is not obvious why some are top attackers and others are not.

So I would 100% prefer the first option from above.

Best,
-Michael

> 
> Any opinions?
> 
> Tim
> 
> 
> On 18/12/2019 12:10, Michael Tremer wrote:
>> Hi,
>> 
>>> On 16 Dec 2019, at 23:05, Tom Rymes <trymes(a)rymes.com> wrote:
>>> 
>>> On 12/16/2019 5:20 PM, Michael Tremer wrote:> Hi,
>>>> 
>>>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge <lists(a)tfitzgeorge.me.uk> wrote:
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> I've attached the current GUI screenshot.
>>>> 
>>>> Thanks for that.
>>>> 
>>>> I have a couple of suggestions/concerns about it:
>>> 
>>> [snip]
>>> 
>>>> c) I would suggest to remove the “safe” column because that is a very hard summary of what the lists do. We should explain that on the wiki. I guess this is too complicated to explain to our users in one sentence and it needs at least a page of text. People who do not read that have you just lost out.
>>> 
>>> [snip]
>>> 
>>> May I opine that the "Safe" information would be helpful to me in the WUI. Perhaps we can be more explicit, or better explain, such as is often done with RBLs in mail server settings, where lists are sometimes described in terms of their likelihood to cause false-positives.
>>> 
>>> It's all well and good in the documentation, but a quick "Safe|Moderate|Risky" listing in the WUI will prove handy, IMHO.
>>> 
>>> Just my $0.02 as more of a user than a developer,
>> 
>> I appreciate your input, but I still disagree with is that we take the decision if something is “risky” or not. There are too many things that need to be taken into account to make that decision and it probably varies for each user.
>> 
>> What I take from your comment though is that we should categorise the lists, and that is something we can do.
>> 
>> We can add a headline to the table and group the lists by “Blocking ambiguous packets”, “Blocking Malware”, etc.
>> 
>> That makes it easier for the user to decide which lists are interesting or even necessary depending on what they want to achieve.
>> 
>> How is that?
>> 
>> -Michael
>> 
>>> 
>>> Tom
>> 
>