Firewall / Spamassassin: Automatic list update
-
@girish There is the risk those lists are too broad, I just had to remove taiwan zone because one of our forum users could not access it.
I think if we ever have automatic list update, the source should be a vetted spam ip list not just IP list blocking entire countries..
@rmdes said in Firewall / Spamassassin: Automatic list update:
source should be a vetted spam ip list
My two cents... Cloudron should not be responsible for vetting the list. It should be (ideally) as simple as admins enabling/disabling lists that are pre-packaged by Cloudron in case they can't just allow any dataset to be used, or we'd be able to throw in our own links to files updated by various vendors such as those from Firehol for example.
I think that's what you meant, but wanted to clarify in case, as I would hate to see Cloudron being responsible for doing any kind of manual vetting, that should definitely be on admins to do. Cloudron just needs to allow access to the lists and we then go from there as admins.
-
There's even a list for Cloudron team to use for this forum
hahahttps://iplists.firehol.org/?ipset=stopforumspam
Now imagine if that could be used in the firewall automatically. Would be awesome.
--
Dustin Dauncey
www.d19.ca -
There's even a list for Cloudron team to use for this forum
hahahttps://iplists.firehol.org/?ipset=stopforumspam
Now imagine if that could be used in the firewall automatically. Would be awesome.
-
@d19dotca Yes that's what I meant, hence the lists I suggested: https://forum.cloudron.io/post/20010
-
The more I read about FireHol the more I wish this was backed into cloudron install directly, it seems to me that Firehol is a great source to rely for blocking bad IP's
@girish
Did anything come of this...? -
Can we re-visit this?
-
N necrevistonnezr referenced this topic on
-
I guess since the blocklist is in
/home/yellowtent/platformdata/firewall/blocklist.txt, one could build something with a script & cron? -
@girish is the way I described feasible? Is that txt file the actual list the firewall accesses to check blocked IPs or is this txt file e.g. used to feed into a database?
@necrevistonnezr Updating the txt file is not enough. The txt file is actually just a "cache" , the real value is stored in the database.
-
@necrevistonnezr Updating the txt file is not enough. The txt file is actually just a "cache" , the real value is stored in the database.
-
@girish Ok, so simple scripting is out of the question.
@necrevistonnezr you can still use the api though
-
Well, the "setBlockList" operation allows to add a range of IPs but not a list of IPs in a file or am I wrong?
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $CLOUDRON_TOKEN" "https://$CLOUDRON_DOMAIN/api/v1/network/blocklist" --data '{"blocklist":"# Spammy network\n10.244.0.0/16"}'as per: https://docs.cloudron.io/api.html#tag/Network/operation/setBlockList
-
Well, the "setBlockList" operation allows to add a range of IPs but not a list of IPs in a file or am I wrong?
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $CLOUDRON_TOKEN" "https://$CLOUDRON_DOMAIN/api/v1/network/blocklist" --data '{"blocklist":"# Spammy network\n10.244.0.0/16"}'as per: https://docs.cloudron.io/api.html#tag/Network/operation/setBlockList
@necrevistonnezr it's a "Newline separated list of IP entries" . So, it can be
# Spammy network\n10.244.0.0/16\n1.2.3.4\n3.4.5.6\n172.4.0.0/16 -
@necrevistonnezr it's a "Newline separated list of IP entries" . So, it can be
# Spammy network\n10.244.0.0/16\n1.2.3.4\n3.4.5.6\n172.4.0.0/16@girish I guess there's no mechanism to avoid duplicate entries when using the "setBlockList" operation, correct?
In general, I guess something like this should work:
#!/bin/bash curl https://www.ipdeny.com/ipblocks/data/countries/kz.zone --output iplist.txt while read -r line; do curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $CLOUDRON_TOKEN" "https://$CLOUDRON_DOMAIN/api/v1/network/blocklist" --data $line" done < iplist.txt rm iplist.txtI don't have know yet how to avoid duplicates in the database..
-
It should be default functionality to have country block/allow in the Cloudron GUI just like all Synology NAS’s have. It’s 2023 and too dangerous to have everything accessible for everyone. That’s why many Cloudron users (read the forum) are using Cloudflare for this kind of functionality (like I have to do).
-
-
It should be default functionality to have country block/allow in the Cloudron GUI just like all Synology NAS’s have. It’s 2023 and too dangerous to have everything accessible for everyone. That’s why many Cloudron users (read the forum) are using Cloudflare for this kind of functionality (like I have to do).
@imc67 IMO, the correct place to implement this is in the network firewall. Most Cloud providers already have a firewall feature and they can then implement this firewall rule at the edge of the network instead of the server itself.
I have a Synology router (not NAS) at home. I just use their blocklists. For home setups, the router is the correct place for this. Otherwise, you allow all traffic to come into your home and then it gets rejected by the server wasting cpu and network traffic.
That said, I understand why this feature is being requested here instead - no cloud network firewall has this feature. And most likely cloud providers don't listen to our suggestions
-
@imc67 IMO, the correct place to implement this is in the network firewall. Most Cloud providers already have a firewall feature and they can then implement this firewall rule at the edge of the network instead of the server itself.
I have a Synology router (not NAS) at home. I just use their blocklists. For home setups, the router is the correct place for this. Otherwise, you allow all traffic to come into your home and then it gets rejected by the server wasting cpu and network traffic.
That said, I understand why this feature is being requested here instead - no cloud network firewall has this feature. And most likely cloud providers don't listen to our suggestions
-
@girish I guess there's no mechanism to avoid duplicate entries when using the "setBlockList" operation, correct?
In general, I guess something like this should work:
#!/bin/bash curl https://www.ipdeny.com/ipblocks/data/countries/kz.zone --output iplist.txt while read -r line; do curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $CLOUDRON_TOKEN" "https://$CLOUDRON_DOMAIN/api/v1/network/blocklist" --data $line" done < iplist.txt rm iplist.txtI don't have know yet how to avoid duplicates in the database..
@necrevistonnezr said in Firewall / Spamassassin: Automatic list update:
I guess something like this should work
Did you managed it to get it worked like that?
-
@necrevistonnezr said in Firewall / Spamassassin: Automatic list update:
I guess something like this should work
Did you managed it to get it worked like that?
