Open sanyo-ok opened 7 years ago
Tried to enable the list once again:
And got an error once again:
May 8 22:11:16 atom update-ipsets.sh[16824]: iblocklist_org_microsoft: Enabling iblocklist_org_microsoft... May 8 22:11:37 atom update-ipsets.sh[17039]: Getting list of active ipsets... May 8 22:11:37 atom update-ipsets.sh[17039]: INFO: iblocklist_org_microsoft: 9126611/727 mins passed, downloading... May 8 22:11:38 atom update-ipsets.sh[17039]: INFO: iblocklist_org_microsoft: HTTP/200 OK May 8 22:11:38 atom update-ipsets.sh[17039]: INFO: iblocklist_org_microsoft: loading to kernel (to temporary ipset)... May 8 22:11:38 atom update-ipsets.sh[17039]: INFO: iblocklist_org_microsoft: swapping temporary ipset to production May 8 22:11:38 atom update-ipsets.sh[17039]: ERROR: iblocklist_org_microsoft: failed to swap temporary ipset tmp-17039-12676-1 May 8 22:11:38 atom update-ipsets.sh[17039]: ERROR: iblocklist_org_microsoft: failed to update ipset (error file left as '/etc/firehol/ipsets/errors/iblocklist_org_microsoft.netset').
Well, following solved an issue:
Manually deleted files in: /etc/firehol/ipsets
Then executed following commands:
ipset destroy ipset create iblocklist_org_microsoft hash:net ipset add iblocklist_org_microsoft 1.1.1.1 update-ipsets enable iblocklist_org_microsoft update-ipsets
ipset list now displays many subnets as expected
Please suggest what is correct method to populate ipsets after reboot?
Hi,
you can use ipset directly from firehol.conf. Check this: https://github.com/firehol/firehol/wiki/Working-with-IPSETs
If you don't user firehol, you can use ipset-apply.sh
from the contrib directory of firehol: https://github.com/firehol/firehol/blob/master/contrib/ipset-apply.sh This script takes an iprange/update-ipsets compatible input file (.ipset
or .netset
) and loads it into kernel.
Once an ipset is loaded into the kernel update-ipsets
will update it automatically.
Hi Costa Tsaousis,
May be someone can be interested in following functions for Firehol to block some unwanted traffic to spynet networks:
add_ipset_prefix()
{
List=$1;
Result="";
for I in $List; do
{
Result="$Result ipset:$I";
} done;
echo $Result;
}
block_ipsets()
{
Place=$1; # interface|router
LANHosts=$2;
IPSetNames=$3;
if [ "$Profile" == "short" ]; then
return;
fi;
case $Place in
( interface )
ExcludeFromBlock;
;;
esac;
IPSet=`add_ipset_prefix "$IPSetNames"`;
case $Place in
( interface )
client all drop src "$LANHosts" dst "$IPSet";
server all drop src "$IPSet" dst "$LANHosts";
;;
( router )
client all drop src "$IPSet" dst "$LANHosts";
server all drop src "$LANHosts" dst "$IPSet";
;;
esac;
}
router home2tun inface eth0 outface $TunName;
masquerade;
route "dns" drop;
block_ipsets router "w10 xp" "spynet akamai other iblocklist_org_microsoft";
route all accept; # route outside
And following scripts for restarting Firehol:
restart.sh:
Action=$1;
firehol stop;
case $Action in
( ipset )
ipset destroy;
/etc/firehol/load_ipsets.sh;
;;
esac;
firehol nofast start;
echo "ipset entries: "; ipset list | wc;
echo "iptables entries: "; iptables -L -n | wc;
load_ipsets.sh:
load_my_list()
{
Name=$1;
/etc/firehol/ipset-apply.sh /etc/firehol/lists/$Name;
}
load_public_list()
{
Name=$1;
update-ipsets enable $Name;
update-ipsets 2>&1 | cat > /dev/null;
/etc/firehol/ipset-apply.sh $Name;
}
load_my_list akamai.netset;
load_my_list spynet.ipset;
load_my_list other.ipset;
load_public_list iblocklist_org_microsoft;
Please let me know where can I download an up to date full list of subnets of an organization like Akamai? I would like to block their addresses only for a one of my hosts which does not browse any sites, so connections to Akamai network is unwanted on the host. I can google for each single subnet and find something like: http://bgp.he.net/net/2.16.4.0/23
Where can I download a text file with complete list of Akamai subnets?
I am not sure they disclose their IP address space. It would be a security flaw for them to do this (since, they would be exposed to DDoS). Anyway, you will have to check their site.
Some googling reveals following list: https://pastebin.com/raw/iGTvZrCz
Complete list for any organization is available at: http://bgp.he.net/AS20940#_prefixes
Hello,
I use your excellent Firehol script for over 10 years already, it is very good, exceptional convenience.
Recently I began to find how I can block some unwanted connections.
Phil kindly pointed me to ipset and iprange.
I have installed the latest versions of your scripts from github on my Debian v8 system, upgraded all distro packages too before building Firehol.
Unfortunately I cannot add any IPs to kernel ipset. I tried iprange and update-ipsets.
Can you please point me to several examples of how to generate ipsets by iprange and update-ipsets?
I tried:
ipset destroy update-ipsets enable iblocklist_org_microsoft update-ipsets
ipset list - displays empty
Got following in the syslog: May 8 21:05:35 atom update-ipsets.sh[18989]: INFO: iblocklist_org_microsoft: 9126545/727 mins passed, downloading... May 8 21:05:37 atom update-ipsets.sh[18989]: INFO: iblocklist_org_microsoft: HTTP/200 OK May 8 21:05:37 atom update-ipsets.sh[18989]: SAVED: iblocklist_org_microsoft: no need to load ipset in kernel
Then ipset create iblocklist_org_microsoft hash:net update-ipsets
ipset list - still displays empty
Please suggest, what am I doing wrong?