Hi Charles
On Sunday 10 April 2022 19:21 Charles Brown wrote:
Tim, Stefan,
I have installed the ipblocklist feature. It looks great.
I’m curious about the disable attribute in the sources file.
I have all the lists enabled, I would have thought enabling EMERGING_FWRULE would have the DSHIELD list automatically disabled. However, I am showing several hits on DSHIELD and I see 20 entries in ipset for DSHIELD. Is the disable attribute in sources there for informational purposes only?
Thanks for your excellent work on this feature, Charles Brown
I have been running Tim's original ipbl?list for about 2 months now and find I only need a few Bl?cklists enabled. I am mainly interrest in protecting port 25 and find the most effective list is BLOCKLIST_DE. CIARMY is very good at catching port scanners. I also run a locally sourced blocklist and Banish which are optimised for port 25.
I don't think it is a good idea to enable all of the lists and conflicting lists should be disabled by the original Attributes feature which you have noticed.
This was from my logs yesterday:
Blacklist Category Packets Dropped In Packets Dropped Out Count Percentage Count Percentage
BANISH Attacker 74 0% 7 100% BLOCKLIST_DE Attacker 3615 8% 0 0% CIARMY Reputation 35598 77% 0 0% EMERGING_COMPROMISED Attacker 248 1% 0 0% EMERGING_FWRULE Composite 6235 13% 0 0% LOCAL_BLOCKLIST Attacker 575 1% 0 0% SHODAN Scanner 0 0% 0 0% SPAMHAUS_EDROP Reputation 4 0% 0 0%
Rob