From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rob Brewer To: development@lists.ipfire.org Subject: Re: ipblacklist V2 Date: Sun, 13 Feb 2022 12:44:26 +0000 Message-ID: In-Reply-To: <0c157f39-28d4-9fa0-e146-c8d1f8e466ea@tfitzgeorge.me.uk> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1330409155646100401==" List-Id: --===============1330409155646100401== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Tim, Good to see your posing here. On Saturday 12 February 2022 21:29 Tim FitzGeorge wrote: > This sounds as if it does the same sort of thing as something I had in my f= irst patchset. I added an extra rule to the input policy chain that added th= e address to an ipset if the number of dropped packets exceeded a=20 threshold. This runs completely within iptables/ipset. >=20 > iptables( "-I ${autoblacklist}_BLOCK -m set --match-set $autoblacklist src = -j SET --add-set $autoblacklist src --exist" ); > iptables( "-I ${autoblacklist}_BLOCK -m set --match-set $autoblacklist dst = -j SET --add-set $autoblacklist dst --exist" ); > iptables( "-I POLICYIN 1 -i $red_iface -m hashlimit --hashlimit-mode srcip = --hashlimit-above $settings{BLOCK_THRESHOLD}/hour --hashlimit-name $autoblack= list -j SET --add-set $autoblacklist src" ); >=20 Aotoblacklist looks like a useful addition. Why did you drop t? >>>> >>> There are a couple of points we need to consider: >>> >>> 1) IPBlacklist does not work very well if Tim's ipfblocklist add-on is a= lso=20 >>> installed. My view is that the add-on should be removed before IPBlacklis= t=20 >>> can be applied. Can the add-on be automatically removed on installaion an= d=20 >>> should we transfer the settings info from ipfbocklist to ipblacklist? >>=20 >> Yes, in theory we could remove any old files in the updater and install ou= r own ones. >>=20 There are a couple of errors on your uninstall-blocklist.sh script which leav= es some files behind when it is run. I can send you a patch for this if it is of= help. >>> 2) I added a init script to my firewall which doesn't seem to be present = on=20 >>> Tim's patches. I'm not sure if this is needed as it will be started by fc= ron=20 >>> or changes made in the WUI but won't be instantly available on re-boot. D= o=20 >>> you have any thoughts on this? >>=20 >=20 > I don't think this is needed - the change to the firewall init script shoul= d call the ipblacklist script at the correct time. I hadn't noticed the last few lines in your firewall init script which my init script duplicates. So I agree my addition isn't needed. I have started producing the v3 patches requested by the devs, but apart from= the couple=20 of changes needed to ipblacklists.dat I think they will be almost identical = to your v2 patches. Rob=20 --===============1330409155646100401==--