[Solved] timfprogs/ipfblocklist -- Safe, Pkts, Bytes

General questions.
Post Reply
User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

[Solved] timfprogs/ipfblocklist -- Safe, Pkts, Bytes

Post by cbrown » May 23rd, 2019, 7:37 pm

TimF,
My simple cave-man brain is having trouble making sense out of the columns for Safe, Pkts, Bytes.
Could you point me to something that explains what the corresponding values mean?
Safe -- Safe to block?
Pkts -- Packets blocked?
Bytes -- Bytes blocked?
CIARMY seems to have the highest volume of blocks in FW Log but currently is showing nothing in Pkts/Bytes on the attached screen snap.
Other times, I have seen the Bytes for CIARMY on this screen with values of 200K+
Attachments
Screenshot_2019-05-23 ipfire pookie home - IP Blocklists.png
Last edited by cbrown on May 27th, 2019, 11:38 am, edited 3 times in total.
Image

User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

Re: timfprogs/ipfblocklist -- Safe, Pkts, Bytes

Post by cbrown » May 24th, 2019, 8:14 am

Okay, after a reboot I see counts increasing for pkts and bytes for CIARMY – along with DROP_CIARMY entries in Firewall log. I was confused earlier by the blanks showing earlier (blanks not even zeroes) for CIARMY in the image above.
I’m still unclear on the meaning of Safe

I suppose this topic would have been better entered under Addons rather than here under IPFire in General
Image

TimF
Posts: 83
Joined: June 10th, 2017, 7:27 pm

Re: timfprogs/ipfblocklist -- Safe, Pkts, Bytes

Post by TimF » May 24th, 2019, 3:18 pm

Pkts and Bytes are the number of Packets and Bytes dropped due to the blacklist. The higher the number, the more the blacklist is protecting you. Note that for the BOGON and TOR lists it's quite normal not to see any dropped packets - seeing dropped packets here may be an indication that you've got malware somewhere in your network.

Safe indicates whether the list can block legitimate traffic or not - a Safe list should only include addresses that aren't valid (BOGON) or are only used for malware. A list that isn't safe may block legitimate traffic. So, for example, if ipfire.org somehow started disseminating malware the address wouldn't appear on a safe list, but could appear on a non-safe list. Obviously, enabling non-safe lists gives you better protection, but it does run the risk of blocking sites you actually want to visit.

I notice you've got both BOGON and FULL BOGON enabled; you only need FULL BOGON since it includes the BOGON list. The same is true of the TOR ALL list which includes TOR. I think the two BAD IP lists will also be included in other lists, including FULL BOGON.


For the problem that you were having with the CIARMY list showing blanks for the Pkts and Bytes - this happens when the IPTables chains for that list haven't been created for some reason. Rebooting is the simplest way of fixing the problem. If you look under "Firewall/iptables" you should be able to see an entry in the INPUT table for each blacklist, which targets a BLOCK chain. In addition there's an IPSet for each blacklist, which is where the addresses are stored. From the command line you can use ipset list -t name for a summary of the list - omitting name gives the information for all blacklists. ipset list name lists the addresses in the blacklist - be warned that some of the lists are big (the ALIENVAULT list contains around 64000 entries).

You could also have fixed the problem by flushing and deleting the name_BLOCK chain followed by the name chain, removing the name chain entry from the INPUT chain and then deleting the name ipset. The list would then be recreated at the next update. This is non-trivial (I've done it during testing), so you'll need to read the documentation carefully if you want to try it. You may also be able to fix the problem by disabling the blacklist from the GUI, waiting for an update (which will delete the list) and then re-enabling it again (which will re-create it).

User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

Re: timfprogs/ipfblocklist -- Safe, Pkts, Bytes

Post by cbrown » May 24th, 2019, 3:22 pm

TimF,

Wow, thanks for the comprehensive reply :)

-cbrown
Image

User avatar
cbrown
Posts: 41
Joined: December 29th, 2017, 11:54 pm
Location: Texas

Re: [Solved] timfprogs/ipfblocklist -- Safe, Pkts, Bytes

Post by cbrown » May 26th, 2019, 12:26 am

Hi TimF,

The block-lists for FEODO_BAD_IP and FEODO_IP get errors after downloading and do not load any entries in 'ipset'
The errors consist of a long list of:
Use of uninitialized value $address in pattern match (m//) at /usr/local/bin/blocklist.pl line 634, <LIST> line 152.
Use of uninitialized value $address in pattern match (m//) at /usr/local/bin/blocklist.pl line 634, <LIST> line 152.
Use of uninitialized value $address in pattern match (m//) at /usr/local/bin/blocklist.pl line 634, <LIST> line 152.
...
Use of uninitialized value $address in pattern match (m//) at /usr/local/bin/blocklist.pl line 634, <LIST> line 152.
Use of uninitialized value $address in pattern match (m//) at /usr/local/bin/blocklist.pl line 634, <LIST> line 152.
Use of uninitialized value $address in pattern match (m//) at /usr/local/bin/blocklist.pl line 634, <LIST> line 152.
Use of uninitialized value $address in pattern match (m//) at /usr/local/bin/blocklist.pl line 634, <LIST> line 152.
Thanks again for your assistance,
cbrown
Image

TimF
Posts: 83
Joined: June 10th, 2017, 7:27 pm

Re: timfprogs/ipfblocklist -- Safe, Pkts, Bytes

Post by TimF » May 26th, 2019, 7:46 pm

It looks like they've changed the URLs. I've updated the sources file; you can re-install or just download the one file. It should work correctly at the next update without any further action.

Note that the FEODO_BAD_IP list has gone and there's a new FEODO_AGGRESIVE list (which is a superset of the FEODO_IP list). The new list comes with an increased likelihood of blocking wanted traffic.

Post Reply