Hello Michael,
Hey,
On 1 Dec 2018, at 20:18, Peter Müller peter.mueller@link38.eu wrote:
Hello Tim, hello Michael,
The second addon handles the setting up and updating of IP Address Blocklists in the firewall. It includes options to select which lists to use, and some control over how frequently to check for updates.
I guess Peter might be quite excited about this :)
I _am_ excited about this indeed. Especially the "Emerging FW" combined list sounds very interesting. Dropping bogon traffic is also a good idea, as it prevents some hijacked BGP allocation stuff.
I personally do not have much use for this, but again, why should this not become part of IPFire?
@Michael: Why do you have no use for this? Speaking about the mentioned Emerging FW list, enabling it as a default sounds reasonable to me. Networks listed there usually are so bad one even does not want to route or peer to it (DROP = Don't route or peer). :-)
Well, that one maybe :) I forgot that we could use this on the IPFire Infrastructure…
Spamhaus SBL also covers networks listed in DROP (return code: 127.0.0.9), so we already have it in use there. Further, our mail server rejects messages relayed through such an IP at some point. Needless to say, direct delivery attempts from an IP listed anywhere at Spamhaus are rejected.
See /etc/rspamd/local.d/force_actions.conf and https://www.spamhaus.org/faq/section/DROP%20FAQ#435 for details.
I am not sure if this should be enabled by default. We deliberately do not ship the firewall in the most secure way it is possible. Then, we would not allow any traffic to pass whatsoever, but it makes the setup rather difficult and you might be running into unexpected issues.
But we should strongly recommend enabling this.
Okay.
Could we enable the bogon list as a default for dial-up interfaces in IPFire 3.x ?
Not only dial-up, but this probably would not be a dynamic list, but rather a substantial part of the firewall.
ACK.
Thanks, and best regards, Peter Müller