Firehol out of date blocklists

[redvelociraptor]

I appreciate your work here to ease the problems with managing a secure home network.

As part of investigating some strange behaviors with access to a variety of internet locations I access, I've found that the Firehol project, while it appears is actively maintained due to the daily import of block lists, isn't actually dealing with the issues in their block lists.

Thus far, I've discovered Atlassian's global CIDR, Wikipedia's global European CIDR, MyShopify's CIDR, Discord's CDN IPs, as well as various other non-malicious IPs are being blocked by Firehol. Some of this is due to Firehol level 1 including the stale Bambenek lists (which is no longer offered for free), but others are appearing on Firehol level 2 and level 3 lists.

Almost all of the issues against Firehol are filed for these inappropriate blocks, and the Firehol maintainers haven't responded to them. Frankly at this point, I would consider the project abandoned.

Please consider a different set of "seed" sources for your blocklists, such as DataPlane.org, Spamhaus (e.g. https://www.spamhaus.org/drop/drop.txt and https://www.spamhaus.org/drop/edrop.txt), and Malc0de's malicious sites list at http://malc0de.com/bl/. Perhaps another to consider is the main, manually curated blacklist from https://github.com/pallebone/StrictBlockPAllebone (though sadly, he also recommends Firehol level 1).

Alternatively, you could go direct to the sources of the Firehol blocklists and drop the ones that are causing the false positives, since it's likely those sources are not being maintained, either.

Thanks again for your work.

[bolemo]

Thank you for your interest and concern.

1. the blocklists seeds are totally customizable. I put some basic ones by default, but feel free to change, remove, add the seeds that you want/need. That is the whole idea.
2. You can edit whitelist(s) and add any IP or CIDR range to avoid false positives that you may encounter.

That being said, if I get more feedback about problems with suggested default seeds, I will likely change the sources list to some you suggested, but always using third parties as I don’t have the time to curate and maintain my own lists.

[redvelociraptor]

For the moment I've just whitelisted the false positives I've encountered, as I'm not completely familiar with how such lists are fed to iptables. Once I figure that out I will update the lists to something from less stale providers.

My main concern is that new folks coming to Voxel's firmware are going to think something is broken with the firmware itself, as his README document does not mention that aegis is enabled by default. I'll contact Voxel and recommend he add a note.

[bolemo]

Wait a second! Aegis is not installed by default on Voxel’s firmware?! How did you end up using Aegis? You did not install it from my GitHub?

The way the lists are fed to iptables is simple and described in the ReadMe: The file /opt/bolemo/etc/aegis.sources contains the URLs of online lists to be loaded (FireHOL lists and alike). This is the file you want to edit to put your own chosen seeds. Then you can add custom blacklists (not URL seeds, but IPs or ranges you want to manually block) in files like /opt/bolemo/etc/aegis.blacklist More details about lists are in the Aegis ReadMe.