From: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
To: development@lists.ipfire.org
Subject: Re: [PATCH 0/5] ipblacklist: IP Address Blacklists
Date: Wed, 27 Nov 2019 21:34:32 +0000 [thread overview]
Message-ID: <cd397aa2-1da4-7e23-9f4d-7af43cd98d5d@tfitzgeorge.me.uk> (raw)
In-Reply-To: <20e899be-8ec0-c27a-a0ae-82b92332faab@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 4710 bytes --]
Hello Peter,
I've updated the sources file with the corrected DShield url and added
the blocklist.de list. I've also fixed a minor bug preventing
unblocking addresses in the automatic blacklist. Since they're minor
changes I'll wait before submitting updated patches in case there's
anything else you spot.
Tim
On 25/11/2019 21:09, Peter Müller wrote:
> Hello Tim,
>
> thank you very much for providing this patchset. After having read
> through it, I consider this being an extremely helpful addition to
> IPFire, especially when it comes to dropping bogon and unallocated
> prefixes - which can be safely enabled by default as far as I am concerned.
>
> Unfortunately, I am currently busy, so please give me a few days for
> having a closer look at all these patches. :-)
>
> Just a footnote: The DShield/ISC SANS feed is also available at
> http://feeds.dshield.org/block.txt , which seems to be the preferred
> location for fetching the file (I believe https://www.dshield.org/block.txt
> exists for compatibility reasons).
>
> blocklist.de (https://lists.blocklist.de/lists/all.txt) might be another
> interesting data feed; I will hand in patches for it as soon yours
> were accepted.
>
> Many thanks again, and best regards,
> Peter Müller
>
>> Implements downloading of IP address blacklists and implementing
>> them as IPSets. A separate IPSet is used for each blacklist; this
>> simplifies handling of overlaps between different lists. Traffic
>> to or from the red0/ppp0 interface is checked against the IPSets.
>> The check is placed before the IPS check as the IPSet check is
>> much lighter on CPU use which means that overall CPU use is
>> reduced.
>>
>> The available lists are defined in a separate file. A WUI page
>> allows the desired lists to be enabled and the interval between
>> checks for updates to be defined. A minimum update check interval
>> is defined for each blacklist in the definition file.
>>
>> Optionally, an automatically updating blacklist can be enabled.
>> This adds addresses to an IPSet if the rate of packets dropped by
>> the default red0/ppp0 input policy exceeds a user defined threshold.
>> The addresses are kept in the IPSet until a user defined period
>> without packets from the blocked address has passed.
>>
>> Tim FitzGeorge (5):
>> ipblacklist: Main script
>> ipblacklist: WUI and language file
>> ipblacklist: Ancillary files
>> ipblacklist: Modifications to system
>> ipblacklist: Build infrastructure
>>
>> config/backup/backup.pl | 1 +
>> config/backup/include | 2 +
>> config/firewall/firewall-policy | 5 +
>> config/ipblacklist/sources | 151 +++
>> config/logwatch/ipblacklist | 103 ++
>> config/logwatch/ipblacklist.conf | 34 +
>> config/menu/50-firewall.menu | 5 +
>> config/rootfiles/common/aarch64/stage2 | 1 +
>> config/rootfiles/common/configroot | 2 +
>> config/rootfiles/common/ipblacklist-sources | 1 +
>> config/rootfiles/common/logwatch | 2 +
>> config/rootfiles/common/misc-progs | 2 +
>> config/rootfiles/common/stage2 | 1 +
>> config/rootfiles/common/web-user-interface | 1 +
>> config/rootfiles/common/x86_64/stage2 | 1 +
>> html/cgi-bin/ipblacklist.cgi | 725 +++++++++++++
>> html/cgi-bin/logs.cgi/log.dat | 2 +
>> langs/en/cgi-bin/en.pl | 31 +
>> lfs/configroot | 4 +-
>> lfs/ipblacklist-sources | 53 +
>> lfs/logwatch | 2 +
>> make.sh | 11 +-
>> src/initscripts/system/firewall | 20 +
>> src/misc-progs/Makefile | 2 +-
>> src/misc-progs/getipsetstat.c | 28 +
>> src/misc-progs/ipblacklistctrl.c | 52 +
>> src/scripts/ipblacklist | 1558 +++++++++++++++++++++++++++
>> 27 files changed, 2792 insertions(+), 8 deletions(-)
>> create mode 100644 config/ipblacklist/sources
>> create mode 100644 config/logwatch/ipblacklist
>> create mode 100644 config/logwatch/ipblacklist.conf
>> create mode 100644 config/rootfiles/common/ipblacklist-sources
>> create mode 100644 html/cgi-bin/ipblacklist.cgi
>> create mode 100644 lfs/ipblacklist-sources
>> create mode 100644 src/misc-progs/getipsetstat.c
>> create mode 100644 src/misc-progs/ipblacklistctrl.c
>> create mode 100755 src/scripts/ipblacklist
>>
next prev parent reply other threads:[~2019-11-27 21:34 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-25 20:13 Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 1/5] ipblacklist: Main script Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 2/5] ipblacklist: WUI and language file Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 3/5] ipblacklist: Ancillary files Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 4/5] ipblacklist: Modifications to system Tim FitzGeorge
2019-11-25 20:13 ` [PATCH 5/5] ipblacklist: Build infrastructure Tim FitzGeorge
2019-11-25 21:09 ` [PATCH 0/5] ipblacklist: IP Address Blacklists Peter Müller
2019-11-27 21:34 ` Tim FitzGeorge [this message]
2019-11-28 12:03 ` Michael Tremer
2019-11-28 21:39 ` Peter Müller
2019-11-29 23:25 ` Tim FitzGeorge
2019-12-02 11:17 ` Michael Tremer
2019-12-04 17:05 ` Peter Müller
2019-12-05 22:25 ` Michael Tremer
2019-12-08 20:50 ` Tim FitzGeorge
2019-12-13 23:11 ` Michael Tremer
2019-12-02 11:06 ` Michael Tremer
[not found] <c0c3b48a-f773-8002-a004-82ff150ea1bb@tfitzgeorge.me.uk>
2019-12-16 22:20 ` Michael Tremer
2019-12-16 23:05 ` Tom Rymes
2019-12-18 12:10 ` Michael Tremer
2019-12-28 21:17 ` Tim FitzGeorge
2020-01-06 11:21 ` Michael Tremer
2020-01-22 20:35 ` Tim FitzGeorge
2020-01-23 10:53 ` Michael Tremer
[not found] <6583305a-cd0d-94a5-aa8e-5456622de824@tfitzgeorge.me.uk>
2019-12-18 12:07 ` Michael Tremer
2019-12-21 18:34 ` Tim FitzGeorge
2019-12-24 10:29 ` Michael Tremer
2019-12-28 20:59 ` Tim FitzGeorge
[not found] <aeb93668-a4b6-5735-1f68-fd53cafa2210@tfitzgeorge.me.uk>
2020-01-06 11:27 ` Michael Tremer
2020-01-24 19:40 ` Tim FitzGeorge
2020-01-28 17:14 ` Michael Tremer
2020-01-29 20:40 ` Tim FitzGeorge
2020-01-30 12:54 ` Michael Tremer
2020-01-30 20:24 ` Tim FitzGeorge
2020-01-30 21:26 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cd397aa2-1da4-7e23-9f4d-7af43cd98d5d@tfitzgeorge.me.uk \
--to=ipfr@tfitzgeorge.me.uk \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox