I've written a couple of addons for my installations of IPFire. They're available on github and some other people have tried them; they seem to be fairly well received and it's been suggested that it may be worth making them available through pakfire as official addons.
The first addon provides the ability to send status emails. You can define multiple schedules and the items to be included in each email. By choosing parameters carefully it's possible to get it to send emails on some error conditions. The emails can be encrypted with GPG. The architecture makes it easy to add further items to be reported on.
The second addon handles the setting up and updating of IP Address Blocklists in the firewall. It includes options to select which lists to use, and some control over how frequently to check for updates.
Both include WUI pages for configuration and language files. They're fully functional, but would require some checking and minor updates. The source can be seen at https://github.com/timfprogs .
I'm aware that there other people have made addons for both these purposes, which maybe suggests that it's functionality that is worth adding.
Hey Tim,
thanks for your email!
Those addons look great. Quite neat and tidy code and probably they are scratching an itch for some people.
On Thu, 2018-11-29 at 21:11 +0000, Tim FitzGeorge wrote:
I've written a couple of addons for my installations of IPFire. They're available on github and some other people have tried them; they seem to be fairly well received and it's been suggested that it may be worth making them available through pakfire as official addons.
Where did you publish them before?
The first addon provides the ability to send status emails. You can define multiple schedules and the items to be included in each email. By choosing parameters carefully it's possible to get it to send emails on some error conditions. The emails can be encrypted with GPG. The architecture makes it easy to add further items to be reported on.
Could you send an example email what it looks like? I do not see any reason why this should not be part of the distribution and would like to ask you to submit this as a patch that can be merged into mainline.
Maybe we can extend this over time and have it send more information if there are any requests.
Would you be up for maintaining this long-term?
Did you develop this for yourself or for work or has this been sponsored by someone else?
The second addon handles the setting up and updating of IP Address Blocklists in the firewall. It includes options to select which lists to use, and some control over how frequently to check for updates.
I guess Peter might be quite excited about this :)
I personally do not have much use for this, but again, why should this not become part of IPFire?
I did not install any of these yet, so could you maybe excuse lazy me and send screenshots? :)
Both include WUI pages for configuration and language files. They're fully functional, but would require some checking and minor updates. The source can be seen at https://github.com/timfprogs .
I have seen a third one which updates Snort rules. I am sure that you have heard about us changing to suricata soon (test images are available). However, the rules are roughly the same and the same update tools can be used. So, again, would you be interested to have this in the distribution and maintain it?
I'm aware that there other people have made addons for both these purposes, which maybe suggests that it's functionality that is worth adding.
Best, -Michael
P.S. Did you get any help building these or do you speak four languages?
Hello Tim, hello Michael,
The second addon handles the setting up and updating of IP Address Blocklists in the firewall. It includes options to select which lists to use, and some control over how frequently to check for updates.
I guess Peter might be quite excited about this :)
I _am_ excited about this indeed. Especially the "Emerging FW" combined list sounds very interesting. Dropping bogon traffic is also a good idea, as it prevents some hijacked BGP allocation stuff.
I personally do not have much use for this, but again, why should this not become part of IPFire?
@Michael: Why do you have no use for this? Speaking about the mentioned Emerging FW list, enabling it as a default sounds reasonable to me. Networks listed there usually are so bad one even does not want to route or peer to it (DROP = Don't route or peer). :-)
Could we enable the bogon list as a default for dial-up interfaces in IPFire 3.x ?
Thanks, and best regards, Peter Müller
Hey,
On 1 Dec 2018, at 20:18, Peter Müller peter.mueller@link38.eu wrote:
Hello Tim, hello Michael,
The second addon handles the setting up and updating of IP Address Blocklists in the firewall. It includes options to select which lists to use, and some control over how frequently to check for updates.
I guess Peter might be quite excited about this :)
I _am_ excited about this indeed. Especially the "Emerging FW" combined list sounds very interesting. Dropping bogon traffic is also a good idea, as it prevents some hijacked BGP allocation stuff.
I personally do not have much use for this, but again, why should this not become part of IPFire?
@Michael: Why do you have no use for this? Speaking about the mentioned Emerging FW list, enabling it as a default sounds reasonable to me. Networks listed there usually are so bad one even does not want to route or peer to it (DROP = Don't route or peer). :-)
Well, that one maybe :) I forgot that we could use this on the IPFire Infrastructure…
I am not sure if this should be enabled by default. We deliberately do not ship the firewall in the most secure way it is possible. Then, we would not allow any traffic to pass whatsoever, but it makes the setup rather difficult and you might be running into unexpected issues.
But we should strongly recommend enabling this.
Could we enable the bogon list as a default for dial-up interfaces in IPFire 3.x ?
Not only dial-up, but this probably would not be a dynamic list, but rather a substantial part of the firewall.
-Michael
Thanks, and best regards, Peter Müller -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq
Hello Michael,
Hey,
On 1 Dec 2018, at 20:18, Peter Müller peter.mueller@link38.eu wrote:
Hello Tim, hello Michael,
The second addon handles the setting up and updating of IP Address Blocklists in the firewall. It includes options to select which lists to use, and some control over how frequently to check for updates.
I guess Peter might be quite excited about this :)
I _am_ excited about this indeed. Especially the "Emerging FW" combined list sounds very interesting. Dropping bogon traffic is also a good idea, as it prevents some hijacked BGP allocation stuff.
I personally do not have much use for this, but again, why should this not become part of IPFire?
@Michael: Why do you have no use for this? Speaking about the mentioned Emerging FW list, enabling it as a default sounds reasonable to me. Networks listed there usually are so bad one even does not want to route or peer to it (DROP = Don't route or peer). :-)
Well, that one maybe :) I forgot that we could use this on the IPFire Infrastructure…
Spamhaus SBL also covers networks listed in DROP (return code: 127.0.0.9), so we already have it in use there. Further, our mail server rejects messages relayed through such an IP at some point. Needless to say, direct delivery attempts from an IP listed anywhere at Spamhaus are rejected.
See /etc/rspamd/local.d/force_actions.conf and https://www.spamhaus.org/faq/section/DROP%20FAQ#435 for details.
I am not sure if this should be enabled by default. We deliberately do not ship the firewall in the most secure way it is possible. Then, we would not allow any traffic to pass whatsoever, but it makes the setup rather difficult and you might be running into unexpected issues.
But we should strongly recommend enabling this.
Okay.
Could we enable the bogon list as a default for dial-up interfaces in IPFire 3.x ?
Not only dial-up, but this probably would not be a dynamic list, but rather a substantial part of the firewall.
ACK.
Thanks, and best regards, Peter Müller
Hey,
On 2 Dec 2018, at 12:08, Peter Müller peter.mueller@link38.eu wrote:
Hello Michael,
Hey,
On 1 Dec 2018, at 20:18, Peter Müller peter.mueller@link38.eu wrote:
Hello Tim, hello Michael,
The second addon handles the setting up and updating of IP Address Blocklists in the firewall. It includes options to select which lists to use, and some control over how frequently to check for updates.
I guess Peter might be quite excited about this :)
I _am_ excited about this indeed. Especially the "Emerging FW" combined list sounds very interesting. Dropping bogon traffic is also a good idea, as it prevents some hijacked BGP allocation stuff.
I personally do not have much use for this, but again, why should this not become part of IPFire?
@Michael: Why do you have no use for this? Speaking about the mentioned Emerging FW list, enabling it as a default sounds reasonable to me. Networks listed there usually are so bad one even does not want to route or peer to it (DROP = Don't route or peer). :-)
Well, that one maybe :) I forgot that we could use this on the IPFire Infrastructure…
Spamhaus SBL also covers networks listed in DROP (return code: 127.0.0.9), so we already have it in use there. Further, our mail server rejects messages relayed through such an IP at some point. Needless to say, direct delivery attempts from an IP listed anywhere at Spamhaus are rejected.
See /etc/rspamd/local.d/force_actions.conf and https://www.spamhaus.org/faq/section/DROP%20FAQ#435 for details.
I know, but I meant for outgoing connections...
I am not sure if this should be enabled by default. We deliberately do not ship the firewall in the most secure way it is possible. Then, we would not allow any traffic to pass whatsoever, but it makes the setup rather difficult and you might be running into unexpected issues.
But we should strongly recommend enabling this.
Okay.
Could we enable the bogon list as a default for dial-up interfaces in IPFire 3.x ?
Not only dial-up, but this probably would not be a dynamic list, but rather a substantial part of the firewall.
ACK.
Thanks, and best regards, Peter Müller -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq
-
Michael Tremer -
Peter Müller -
Tim FitzGeorge