Re: ipblacklist V2

[Rob Brewer <ipfire-devel@grantura.co.uk>]

[-- Attachment #1: Type: text/plain, Size: 3240 bytes --]

Hi Stefan

On Monday 28 February 2022 19:32 Stefan Schantl wrote:

> Hello Rob, Hello Tim, Hello *,
> 
> as anounced on this list, I'm currently working on getting the
> ipblacklist feature as a core component into IPFire.
> 
> I already had a look on the code, which looks nice and very clean to
> me. As I'm currently also working on getting all ipset related set
> stuff and rule creation under one hood, this perfectly fits to this.
> 
I have been in contact with Michael and has kept me up to date with your 
progress. As I have found out during a recent DOS attack @Tim's ipblacklist is 
very powerful tool in combating unwanted internet traffic. I had been using 
@Tim's original ipfblocklist addon which had limitations when trying to use 
larger blocklists, which @Tim had fixed in his later ipblacklist version. 

Using @Tims repositories I was able to recover the code and install ipblacklist 
on my current firewall (core 161) and confirm that the code was fully 
functional.

Looking back at the history of ipblacklist the first version contained a dynamic 
blocklist feature which was dropped in favour of the one now available (V2) but 
was a patched version of the original V1 code. 

My V3 version is a rework of @Tim's V2 code with the introduction of some of the 
missing unchanged patches from the V1 code plus updated patches to track the 
core changes from when it was last worked on about 2 years ago.

> So my idea to put the ipblacklist feature over the line, was to split
> some parts of the ipblacklist "main script" (especially the ipset and
> iptables related stuff) into the perl-based script which is responsible
> for iptables rule creation.
> 
That seems to be a sensible approach.

> In this case some other parts of the script (which where necessary in
> the past, because ipblacklist initial has been designed as an addon)
> also can be stipped.
> 
> Affected parts for example would be the "start", "stop", "enable" and
> "disable" code, which is not longer required and therefore safely can
> be dropped.
> 

I think that is correct. There are several processes that are started and 
stopped in the firewall script but need to be run but in a controlled order. 


> In the very end the main task for the script would be to download,
> update, convert and store the blacklists into an ipset compatible
> format.
> 
> Apart from this, I currently do not see any bigger changes for the WUI
> related stuff.
> 
> @Tim: I hope these changes are okay for you.
> 

> Getting started, I noticed, that there currently are two git
> repositories available, which contain the source for ipblacklist.
> 
> There is the origin one from Tim and a slightly modified (fixed) v3
> version from Rob. I' currently trying to determine, which one would be
> the best to start from - are there any deeper changes/differences
> between them?
> 
I have integrated my V3 patches into core 163 and have a build running on an 
apu2 new install. I haven't found any problems with this install.


> Please feel free to ask any kind of questions or share you opinion. As
> usual, I'll share any progress here.
> 
> Best regards,
> 
> -Stefan


Rob