Hi Tim, Good to see your posing here.
On Saturday 12 February 2022 21:29 Tim FitzGeorge wrote:
This sounds as if it does the same sort of thing as something I had in my first patchset. I added an extra rule to the input policy chain that added the address to an ipset if the number of dropped packets exceeded a
threshold. This runs completely within iptables/ipset.
iptables( "-I ${autoblacklist}_BLOCK -m set --match-set $autoblacklist src -j SET --add-set $autoblacklist src --exist" ); iptables( "-I ${autoblacklist}_BLOCK -m set --match-set $autoblacklist dst -j SET --add-set $autoblacklist dst --exist" ); iptables( "-I POLICYIN 1 -i $red_iface -m hashlimit --hashlimit-mode srcip --hashlimit-above $settings{BLOCK_THRESHOLD}/hour --hashlimit-name $autoblacklist -j SET --add-set $autoblacklist src" );
Aotoblacklist looks like a useful addition. Why did you drop t?
There are a couple of points we need to consider:
- IPBlacklist does not work very well if Tim's ipfblocklist add-on is also
installed. My view is that the add-on should be removed before IPBlacklist can be applied. Can the add-on be automatically removed on installaion and should we transfer the settings info from ipfbocklist to ipblacklist?
Yes, in theory we could remove any old files in the updater and install our own ones.
There are a couple of errors on your uninstall-blocklist.sh script which leaves some files behind when it is run. I can send you a patch for this if it is of help.
- I added a init script to my firewall which doesn't seem to be present on
Tim's patches. I'm not sure if this is needed as it will be started by fcron or changes made in the WUI but won't be instantly available on re-boot. Do you have any thoughts on this?
I don't think this is needed - the change to the firewall init script should call the ipblacklist script at the correct time.
I hadn't noticed the last few lines in your firewall init script which my init script duplicates. So I agree my addition isn't needed.
I have started producing the v3 patches requested by the devs, but apart from the couple of changes needed to ipblacklists.dat I think they will be almost identical to your v2 patches.
Rob