search

firehol / blocklist-ipsets

ipsets dynamically updated with firehol's update-ipsets.sh script
https://iplists.firehol.org
3.21k stars 386 forks source link

192.30.253.112/31 in firehol_level4 is ... well... it's github.com. Had to remove it to post this issue. #13

Closed jawz101 closed 3 years ago

ktsaou commented 8 years ago

interesting...

let's see who listed it:

# echo "192.30.253.112/31" | iprange - --compare-next /etc/firehol/ipsets/*.{ip,net}set --header | grep -v ",0$"
name1,name2,entries1,entries2,ips1,ips2,combined_ips,common_ips
stdin,/etc/firehol/ipsets/firehol_level4.netset,1,90547,2,9586204,9586204,2
stdin,/etc/firehol/ipsets/cleanmx_viruses.ipset,1,12190,2,12190,12190,2
stdin,/etc/firehol/ipsets/blueliv_crimeserver_online.ipset,1,53132,2,53132,53133,1

So, cleanmx_viruses lists both IPs and blueliv_crimeserver_online lists one of them.

ktsaou commented 8 years ago

ok, I did predict this. The description of firehol_level4 says:

An ipset made from blocklists that track attacks, but may include a large number of false positives. (includes: cleanmx_viruses blocklist_net_ua botscout_30d cruzit_web_attacks cybercrime haley_ssh iblocklist_hijacked iblocklist_spyware iblocklist_webexploit ipblacklistcloud_top iw_wormlist malwaredomainlist)

So, I advise you to use this blocklist to block only inbound connections. In your firewall, block the connection tracker state NEW on packets coming from firehol_level4. This will allow you to talk to them, but will prevent them from connecting to you.

If you use the blacklist helper of firehol, use blacklist them ... not blacklist full ....

jawz101 commented 8 years ago

thanks. I actually use your blocklists in Pfsense's PfBlockerNG package :) You're doing the Lord's work, sir