Re: ipblacklist V2

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3459 bytes --]

Hello,

> On 13 Feb 2022, at 12:44, Rob Brewer <ipfire-devel(a)grantura.co.uk> wrote:
> 
> Hi Tim, Good to see your posing here.
> 
> On Saturday 12 February 2022 21:29 Tim FitzGeorge wrote:
> 
>> This sounds as if it does the same sort of thing as something I had in my first patchset.  I added an extra rule to the input policy chain that added the address to an ipset if the number of dropped packets exceeded a 
> threshold.  This runs completely within iptables/ipset.
>> 
>> iptables( "-I ${autoblacklist}_BLOCK -m set --match-set $autoblacklist src -j SET --add-set $autoblacklist src --exist" );
>> iptables( "-I ${autoblacklist}_BLOCK -m set --match-set $autoblacklist dst -j SET --add-set $autoblacklist dst --exist" );
>> iptables( "-I POLICYIN 1 -i $red_iface -m hashlimit --hashlimit-mode srcip --hashlimit-above $settings{BLOCK_THRESHOLD}/hour --hashlimit-name $autoblacklist -j SET --add-set $autoblacklist src" );
>> 
> 
> Aotoblacklist looks like a useful addition. Why did you drop t?

I asked for that. I believed that it would causing more trouble than it helps.

The default policy of the firewall is dropping traffic anyways. Adding an extra rule does not change behaviour of the firewall and I wasn’t sure if it would add some false sense of extra security.

Since the firewall has no idea who is hammering some web application trying out passwords I did not see the value if that makes sense.

It would be great to have some more insight into who the big offenders are, but I don’t believe that this is the right place.

> 
> 
>>>>> 
>>>> There are a couple of points we need to consider:
>>>> 
>>>> 1) IPBlacklist does not work very well if Tim's  ipfblocklist add-on is also 
>>>> installed. My view is that the add-on should be removed before IPBlacklist 
>>>> can be applied. Can the add-on be automatically removed on installaion and 
>>>> should we transfer the settings info from ipfbocklist to ipblacklist?
>>> 
>>> Yes, in theory we could remove any old files in the updater and install our own ones.
>>> 
> 
> There are a couple of errors on your uninstall-blocklist.sh script which leaves
> some files behind when it is run. I can send you a patch for this if it is of help.

Since this is going into the main distribution we won’t need this script any more, but you can make it work for testing if you like.

>>>> 2) I added a init script to my firewall which doesn't seem to be present on 
>>>> Tim's patches. I'm not sure if this is needed as it will be started by fcron 
>>>> or changes made in the WUI but won't be instantly available on re-boot. Do 
>>>> you have any thoughts on this?
>>> 
>> 
>> I don't think this is needed - the change to the firewall init script should call the ipblacklist script at the correct time.
> 
> I hadn't noticed the last few lines in your firewall init script which my init
> script duplicates. So I agree my addition isn't needed.
> 
> I have started producing the v3 patches requested by the devs, but apart from the couple 
> of changes needed to  ipblacklists.dat I think they will be almost identical to your
> v2 patches.

It isn’t bad when things are identical. Good code is good code and doesn’t need to be changed just for the sake of it.

Your Git repository is still empty, do you know how to push anything into it? I am mostly curious if I set it up okay that it will work :)

-Michael

> Rob