search

firehol / blocklist-ipsets

ipsets dynamically updated with firehol's update-ipsets.sh script
https://iplists.firehol.org
3.21k stars 386 forks source link

ipset_addfile: Cannot find file /etc/firehol/ipsets/openbl.ipset #207

Open jessicana opened 2 years ago

jessicana commented 2 years ago

firehol.conf located in /etc/firehol includes the following:

version 6

## https://github.com/firehol/blocklist-ipsets/blob/master/README.md#adding-the-ipsets-in-your-fireholconf
    # our wan interface
    wan="dsl0"

    # our whitelist
    ipset4 create whitelist hash:net
    ipset4 add whitelist A.B.C.D/E # A.B.C.D/E is whitelisted

    # subnets - netsets
    for x in fullbogons dshield spamhaus_drop spamhaus_edrop
    do
        ipset4 create  ${x} hash:net
        ipset4 addfile ${x} ipsets/${x}.netset
        blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
            except src ipset:whitelist
    done

    # individual IPs - ipsets
    for x in feodo palevo sslbl zeus openbl blocklist_de
    do
        ipset4 create  ${x} hash:ip
        ipset4 addfile ${x} ipsets/${x}.ipset
        blacklist4 full inface "${wan}" log "BLACKLIST ${x^^}" ipset:${x} \
            except src ipset:whitelist
    done

# one collection for the single IPs
# https://firehol.org/guides/ipset/
## Can be found under Real life example
    ipv4 ipset create emerging_block_ips hash:ip
    ipv4 ipset addfile emerging_block_ips ips emerging-Block-IPs.txt

# another collection for the networks
    ipv4 ipset create emerging_block_nets hash:net
    ipv4 ipset addfile emerging_block_nets nets emerging-Block-IPs.txt

# blacklist them
    ipv4 blacklist full ipset:emerging_block_ips ipset:emerging_block_nets

# Accept all client traffic on any interface
#interface any world
#   client all accept
    interface any world
        protection strong
        policy drop
        server "icmp ping ICMP ssh" accept
        client all accept

# https://github.com/firehol/firehol/wiki/fail2ban
IPTABLES_CMD="/sbin""/iptables -w"

As per the content located under real life example, I created auto-update-blookedips.sh that includes the following:

#!/bin/bash
tmp=$(mktemp) || exit 1
wget -O $tmp "http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt"
if [ $? -ne 0 -o ! -s $tmp ]
then
    rm $tmp
    echo >&2 "Cannot download blacklist."
    exit 1
fi
# update the ipsets
firehol ipset_update_from_file emerging_block_ips ips $tmp
firehol ipset_update_from_file emerging_block_nets nets $tmp
rm $tmp

Whenever I run ./auto-update-blookedips.sh I get this error:

 ERROR : # 1
WHEN   : Initializing
WHY    :  ipset emerging_block_ips is not configured by firehol. Cannot proceed.
COMMAND: \(unset\)
MODE   : both
SOURCE : INIT

--------------------------------------------------------------------------------
 ERROR : # 1
WHEN   : Initializing
WHY    :  ipset emerging_block_nets is not configured by firehol. Cannot proceed.
COMMAND: \(unset\)
MODE   : both
SOURCE : INIT

How can I correct this?

Stephanowicz commented 2 years ago

Hi, a little while ago - nevertheless: the ipset has to be created before it can be updated... this should have been done by these lines from the .conf file you posted:

## Can be found under Real life example
    ipv4 ipset create emerging_block_ips hash:ip
    ipv4 ipset addfile emerging_block_ips ips emerging-Block-IPs.txt

# another collection for the networks
    ipv4 ipset create emerging_block_nets hash:net
    ipv4 ipset addfile emerging_block_nets nets emerging-Block-IPs.txt

Therefore I think something went wrong with creating these... --> when You restart firehol, are there any failure messages?

Cheers, Stephan