From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tim FitzGeorge To: development@lists.ipfire.org Subject: Re: [PATCH 0/5] ipblacklist: IP Address Blacklists Date: Sat, 28 Dec 2019 21:17:39 +0000 Message-ID: In-Reply-To: <07C51EA6-5BBA-4BCE-A165-08F08AA33FF4@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1192299290536042001==" List-Id: --===============1192299290536042001== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, Having decided that we'll categorise the lists, the question is what categories to use. They need to be: - Short (to fit on the screen) - Easily translatable - and above all, useful. Looking at the lists the obvious categories are: - Invalid Address (on the public internet) BOGON, BOGON_FULL - Scanner (not by itself malicious) SHODAN - Application (potentially unwanted) TOR_ALL, TOR_EXIT - Malware C & C FEODO_RECOMMENDED, FEODO_IP, FEODO_AGGRESIVE - Composite EMERGING_FWRULE Less obvious are: - Reputation ALIENVAULT, CIARMY, SPAMHAUS_DROP, SPAMHAUS_EDROP - Attacks BLOCKLIST_DE, DSHIELD, EMERGING_COMPROMISED I'm not sure that the distinction between these two is going to be helpful to most people (I'm not sure I understand it myself). We could use: - Top attackers DSHIELD, EMERGING_COMPROMISED, SPAMHAUS_DROP, SPAMHAUS_EDROP - Other attackers ALIENVAULT, BLOCKLIST_DE, CIARMY but that might be making a distinction that is better made by the user. Any opinions? Tim On 18/12/2019 12:10, Michael Tremer wrote: > Hi, >=20 >> On 16 Dec 2019, at 23:05, Tom Rymes wrote: >> >> On 12/16/2019 5:20 PM, Michael Tremer wrote:> Hi, >>> >>>> On 16 Dec 2019, at 20:06, Tim FitzGeorge wro= te: >>>> >>>> Hi, >>>> >>>> I've attached the current GUI screenshot. >>> >>> Thanks for that. >>> >>> I have a couple of suggestions/concerns about it: >> >> [snip] >> >>> c) I would suggest to remove the =E2=80=9Csafe=E2=80=9D column because th= at is a very hard summary of what the lists do. We should explain that on the= wiki. I guess this is too complicated to explain to our users in one sentenc= e and it needs at least a page of text. People who do not read that have you = just lost out. >> >> [snip] >> >> May I opine that the "Safe" information would be helpful to me in the WUI.= Perhaps we can be more explicit, or better explain, such as is often done wi= th RBLs in mail server settings, where lists are sometimes described in terms= of their likelihood to cause false-positives. >> >> It's all well and good in the documentation, but a quick "Safe|Moderate|Ri= sky" listing in the WUI will prove handy, IMHO. >> >> Just my $0.02 as more of a user than a developer, >=20 > I appreciate your input, but I still disagree with is that we take the deci= sion if something is =E2=80=9Crisky=E2=80=9D or not. There are too many thing= s that need to be taken into account to make that decision and it probably va= ries for each user. >=20 > What I take from your comment though is that we should categorise the lists= , and that is something we can do. >=20 > We can add a headline to the table and group the lists by =E2=80=9CBlocking= ambiguous packets=E2=80=9D, =E2=80=9CBlocking Malware=E2=80=9D, etc. >=20 > That makes it easier for the user to decide which lists are interesting or = even necessary depending on what they want to achieve. >=20 > How is that? >=20 > -Michael >=20 >> >> Tom >=20 --===============1192299290536042001==--