From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rob Brewer To: development@lists.ipfire.org Subject: Re: ipblacklist V2 Date: Tue, 01 Mar 2022 16:08:24 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1964076922473398300==" List-Id: --===============1964076922473398300== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Stefan On Monday 28 February 2022 19:32 Stefan Schantl wrote: > Hello Rob, Hello Tim, Hello *, >=20 > as anounced on this list, I'm currently working on getting the > ipblacklist feature as a core component into IPFire. >=20 > I already had a look on the code, which looks nice and very clean to > me. As I'm currently also working on getting all ipset related set > stuff and rule creation under one hood, this perfectly fits to this. >=20 I have been in contact with Michael and has kept me up to date with your=20 progress. As I have found out during a recent DOS attack @Tim's ipblacklist i= s=20 very powerful tool in combating unwanted internet traffic. I had been using=20 @Tim's original ipfblocklist addon which had limitations when trying to use=20 larger blocklists, which @Tim had fixed in his later ipblacklist version.=20 Using @Tims repositories I was able to recover the code and install ipblackli= st=20 on my current firewall (core 161) and confirm that the code was fully=20 functional. Looking back at the history of ipblacklist the first version contained a dyna= mic=20 blocklist feature which was dropped in favour of the one now available (V2) b= ut=20 was a patched version of the original V1 code.=20 My V3 version is a rework of @Tim's V2 code with the introduction of some of = the=20 missing unchanged patches from the V1 code plus updated patches to track the = core changes from when it was last worked on about 2 years ago. > So my idea to put the ipblacklist feature over the line, was to split > some parts of the ipblacklist "main script" (especially the ipset and > iptables related stuff) into the perl-based script which is responsible > for iptables rule creation. >=20 That seems to be a sensible approach. > In this case some other parts of the script (which where necessary in > the past, because ipblacklist initial has been designed as an addon) > also can be stipped. >=20 > Affected parts for example would be the "start", "stop", "enable" and > "disable" code, which is not longer required and therefore safely can > be dropped. >=20 I think that is correct. There are several processes that are started and=20 stopped in the firewall script but need to be run but in a controlled order. = > In the very end the main task for the script would be to download, > update, convert and store the blacklists into an ipset compatible > format. >=20 > Apart from this, I currently do not see any bigger changes for the WUI > related stuff. >=20 > @Tim: I hope these changes are okay for you. >=20 > Getting started, I noticed, that there currently are two git > repositories available, which contain the source for ipblacklist. >=20 > There is the origin one from Tim and a slightly modified (fixed) v3 > version from Rob. I' currently trying to determine, which one would be > the best to start from - are there any deeper changes/differences > between them? >=20 I have integrated my V3 patches into core 163 and have a build running on an = apu2 new install. I haven't found any problems with this install. > Please feel free to ask any kind of questions or share you opinion. As > usual, I'll share any progress here. >=20 > Best regards, >=20 > -Stefan Rob --===============1964076922473398300==--