Hi Charles

On Sunday 10 April 2022 19:21 Charles Brown wrote:

> Tim, Stefan,
> 
> I have installed the ipblocklist feature. It looks great.
> 
> I’m curious about the disable attribute in the sources file.
> 
> I have all the lists enabled, I would have thought enabling
> EMERGING_FWRULE would have the DSHIELD list automatically disabled.
> However, I am showing several hits on DSHIELD and I see 20 entries in
> ipset for DSHIELD. Is the disable attribute in sources there for
> informational purposes only?
> 
> Thanks for your excellent work on this feature,
> Charles Brown

I have been running Tim's original ipbl?list for about 2 months now and find I 
only need a few Bl?cklists enabled. I am mainly interrest in protecting port 25 
and find the most effective list is BLOCKLIST_DE.
CIARMY is very good at catching port scanners.
I also run a locally sourced blocklist and Banish which are optimised for port 
25.

I don't think it is a good idea to enable all of the lists and conflicting lists 
should be disabled by the original Attributes feature which you have noticed.

This was from my logs yesterday:

Blacklist		Category	Packets Dropped In	Packets Dropped Out
			Count	Percentage	Count	Percentage

BANISH		Attacker	74	0%	7	100%
BLOCKLIST_DE	Attacker	3615	8%	0	0%
CIARMY		Reputation	35598	77%	0	0%
EMERGING_COMPROMISED	Attacker	248	1%	0	0%
EMERGING_FWRULE	Composite	6235	13%	0	0%
LOCAL_BLOCKLIST	Attacker	575	1%	0	0%
SHODAN	Scanner	0	0%	0	0%
SPAMHAUS_EDROP	Reputation	4	0%	0	0%

Rob