search

naveednajam / Little-Snitch---Rule-Groups

This repo provide rule groups for Little Snitch based on unified host list to block ads, malware, fake news and porn
GNU General Public License v3.0
327 stars 38 forks source link

Disable Incoming Connections #16

Open maxsnet opened 4 years ago

maxsnet commented 4 years ago

Hi Naveed, I found your git while looking for blocking incoming connections per country, using Little Snitch. Your V2 is very impressive thank you for sharing your great work with the community!

Your page https://rulegroups.com/ip-acl-by-country/ allows to get a list for blocking outgoing connections, can you deliver the same or updated ones for incoming connections?

Also what about adding adding firehol IP sets, for exemple there are IP list of spamming, scanning, DNS-hijacking, DDoS attacking... that would be great to block with Little Snitch!

naveednajam commented 4 years ago

can you deliver the same or updated ones for incoming connections?

Sure, i will look into it to see what is the best possible way to achieve it. Currently I am using "denied-remote-addresses" tag which does not take into account any direction tag.

Also what about adding adding firehol IP sets?

I am working on it and will add it in the future

naveednajam commented 4 years ago

For now I changed the direction to incoming for IP ACL by Country as it make more sense to block incoming traffic for ip acl . Later I will add the option in the web gui to select direction

maxsnet commented 4 years ago

It makes more sense to me too to block incoming trafic in this case and indeed an option would be ideal.

FYI in Little Snitch when I duplicated a country rule into a deny incoming one it gave me rules formatted like this:

    {
      "action" : "deny",
      "creationDate" : 1589204868.6642461,
      "direction" : "incoming",
      "modificationDate" : 1589205091.8171248,
      "owner" : "me",
      "process" : "any",
      "remote-addresses" : "193.201.156.0-193.201.156.127"
    }

Also what about adding firehole IP sets?

I am working on it and will add it in the future

Sounds great, thinking about it could be brokedown like this:

naveednajam commented 4 years ago

I just modified the format as you see in your rule right now which include direction and remote-addresses tag. before that it was like this

{ "description": " #Last Updated:20171214 in RIR: apnic Last Update: 11/05/2020 22:04 UTC+8", "name": "AF_ipv4", "direction":"incoming", "denied-remote-addresses": [ "27.116.56.0 - 27.116.59.255", "43.230.209.0 - 43.230.209.255” ] }

This is the block list format https://help.obdev.at/littlesnitch/ref-lsrules-file-format https://help.obdev.at/littlesnitch/ref-lsrules-file-format however it has some limitation e.g we cannot define direction in this format.

On 11 May 2020, at 11:51 PM, Max Prat-Carrabin notifications@github.com wrote:

{ "action" : "deny", "creationDate" : 1589204868.6642461, "direction" : "incoming", "modificationDate" : 1589205091.8171248, "owner" : "me", "process" : "any", "remote-addresses" : "193.201.156.0-193.201.156.127" }

naveednajam commented 4 years ago

@maxsnet there is one issue using update-ipset.sh the list are meant to be applied on Internet facing network interface to block incoming traffic and contains bogons as a part of it. therefore we cannot simply use the lists as it is unless there is some way to exclude the bogons.

maxsnet commented 4 years ago

Hey @naveednajam , line 7748 of update-ipset.sh creates "FireHOL lists" by merging chosen IP lists per theme, exemples:

merge firehol_level1 ipv4 both \
    "attacks" \
    "A firewall blacklist composed from IP lists, providing maximum protection with minimum false positives. Suitable for basic protection on all internet facing servers, routers and firewalls." \
    "FireHOL" "http://iplists.firehol.org/" \
    bambenek_c2 \
    dshield \
    feodo \
    fullbogons \
    spamhaus_drop \
    spamhaus_edrop \
    sslbl \
    zeus_badips \
    ransomware_rw \

merge firehol_abusers_1d ipv4 both \
    "abuse" \
    "An ipset made from blocklists that track abusers in the last 24 hours." \
    "FireHOL" "http://iplists.firehol.org/" \
    botscout_1d \
    cleantalk_new_1d \
    cleantalk_updated_1d \
    php_commenters_1d \
    php_dictionary_1d \
    php_harvesters_1d \
    php_spammers_1d \
    stopforumspam_1d \

Those lists are actually on the Firehol git (name starting with firehol_), exemple.

Before trying to use update-ipset.sh (without installing Firehol... "just" to update the lists...), what about using the updated firehol_ lists on the Firehol git ?

naveednajam commented 4 years ago

@maxsnet firehol level1 and level2 are available. similar to domains, subnets in each file are unique. you if you want level2 then subscribe both lists. these list does not contains bogons. I used fullbogon.netset to exclude any bogons from the lists.

maxsnet commented 4 years ago

@naveednajam that's great! Do they update automatically? Careful the level 2 link goes to level 1.

naveednajam commented 4 years ago

@naveednajam that's great! Do they update automatically? Careful the level 2 link goes to level 1.

Yes all lists will update on weekly schedule. Level2 raw link i forgot to update earlier but actual rules were from level2. I have updated the raw link as well.

maxsnet commented 4 years ago

@naveednajam that's neat! Just to know to do you plan to add more of Firehol and also sync refresh times? For exemple Level 2 is "An ipset made from blocklists that track attacks, during about the last 48 hours"

naveednajam commented 4 years ago

currently I don't have separate update time for different list. But I have plan to add this function as soon as I get some time. For Firehol which other list do you want me to add. Priority is to have those list with minimal false positive , e.g level 4 has higher chances of getting false positive. if you have any specific list(s) in mind let me know I will add.