Firewall / Spamassassin: Automatic list update
-
The more I read about FireHol the more I wish this was backed into cloudron install directly, it seems to me that Firehol is a great source to rely for blocking bad IP's
wrote on May 12, 2022, 12:19 PM last edited by@girish
Did anything come of this...? -
wrote on Oct 27, 2023, 5:55 AM last edited by
Can we re-visit this?
-
N necrevistonnezr referenced this topic on Oct 27, 2023, 5:55 AM
-
wrote on Oct 27, 2023, 8:05 PM last edited by
I guess since the blocklist is in
/home/yellowtent/platformdata/firewall/blocklist.txt, one could build something with a script & cron? -
wrote on Nov 7, 2023, 8:57 AM last edited by
@girish is the way I described feasible? Is that txt file the actual list the firewall accesses to check blocked IPs or is this txt file e.g. used to feed into a database?
-
@girish is the way I described feasible? Is that txt file the actual list the firewall accesses to check blocked IPs or is this txt file e.g. used to feed into a database?
@necrevistonnezr Updating the txt file is not enough. The txt file is actually just a "cache" , the real value is stored in the database.
-
@necrevistonnezr Updating the txt file is not enough. The txt file is actually just a "cache" , the real value is stored in the database.
wrote on Nov 9, 2023, 6:01 AM last edited by@girish Ok, so simple scripting is out of the question.
-
@girish Ok, so simple scripting is out of the question.
@necrevistonnezr you can still use the api though
-
wrote on Nov 9, 2023, 2:35 PM last edited by
Well, the "setBlockList" operation allows to add a range of IPs but not a list of IPs in a file or am I wrong?
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $CLOUDRON_TOKEN" "https://$CLOUDRON_DOMAIN/api/v1/network/blocklist" --data '{"blocklist":"# Spammy network\n10.244.0.0/16"}'as per: https://docs.cloudron.io/api.html#tag/Network/operation/setBlockList
-
Well, the "setBlockList" operation allows to add a range of IPs but not a list of IPs in a file or am I wrong?
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $CLOUDRON_TOKEN" "https://$CLOUDRON_DOMAIN/api/v1/network/blocklist" --data '{"blocklist":"# Spammy network\n10.244.0.0/16"}'as per: https://docs.cloudron.io/api.html#tag/Network/operation/setBlockList
@necrevistonnezr it's a "Newline separated list of IP entries" . So, it can be
# Spammy network\n10.244.0.0/16\n1.2.3.4\n3.4.5.6\n172.4.0.0/16 -
@necrevistonnezr it's a "Newline separated list of IP entries" . So, it can be
# Spammy network\n10.244.0.0/16\n1.2.3.4\n3.4.5.6\n172.4.0.0/16wrote on Nov 10, 2023, 8:24 AM last edited by necrevistonnezr Nov 10, 2023, 8:25 AM@girish I guess there's no mechanism to avoid duplicate entries when using the "setBlockList" operation, correct?
In general, I guess something like this should work:
#!/bin/bash curl https://www.ipdeny.com/ipblocks/data/countries/kz.zone --output iplist.txt while read -r line; do curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $CLOUDRON_TOKEN" "https://$CLOUDRON_DOMAIN/api/v1/network/blocklist" --data $line" done < iplist.txt rm iplist.txtI don't have know yet how to avoid duplicates in the database..
-
It should be default functionality to have country block/allow in the Cloudron GUI just like all Synology NAS’s have. It’s 2023 and too dangerous to have everything accessible for everyone. That’s why many Cloudron users (read the forum) are using Cloudflare for this kind of functionality (like I have to do).
-
N necrevistonnezr referenced this topic on Nov 16, 2023, 5:58 AM
-
It should be default functionality to have country block/allow in the Cloudron GUI just like all Synology NAS’s have. It’s 2023 and too dangerous to have everything accessible for everyone. That’s why many Cloudron users (read the forum) are using Cloudflare for this kind of functionality (like I have to do).
@imc67 IMO, the correct place to implement this is in the network firewall. Most Cloud providers already have a firewall feature and they can then implement this firewall rule at the edge of the network instead of the server itself.
I have a Synology router (not NAS) at home. I just use their blocklists. For home setups, the router is the correct place for this. Otherwise, you allow all traffic to come into your home and then it gets rejected by the server wasting cpu and network traffic.
That said, I understand why this feature is being requested here instead - no cloud network firewall has this feature. And most likely cloud providers don't listen to our suggestions
-
@imc67 IMO, the correct place to implement this is in the network firewall. Most Cloud providers already have a firewall feature and they can then implement this firewall rule at the edge of the network instead of the server itself.
I have a Synology router (not NAS) at home. I just use their blocklists. For home setups, the router is the correct place for this. Otherwise, you allow all traffic to come into your home and then it gets rejected by the server wasting cpu and network traffic.
That said, I understand why this feature is being requested here instead - no cloud network firewall has this feature. And most likely cloud providers don't listen to our suggestions
-
wrote on Nov 29, 2023, 8:30 AM last edited by
Is it possible to improve / add the IP block list feature to Cloudron in 8.0?
-
@girish I guess there's no mechanism to avoid duplicate entries when using the "setBlockList" operation, correct?
In general, I guess something like this should work:
#!/bin/bash curl https://www.ipdeny.com/ipblocks/data/countries/kz.zone --output iplist.txt while read -r line; do curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $CLOUDRON_TOKEN" "https://$CLOUDRON_DOMAIN/api/v1/network/blocklist" --data $line" done < iplist.txt rm iplist.txtI don't have know yet how to avoid duplicates in the database..
@necrevistonnezr said in Firewall / Spamassassin: Automatic list update:
I guess something like this should work
Did you managed it to get it worked like that?
-
@necrevistonnezr said in Firewall / Spamassassin: Automatic list update:
I guess something like this should work
Did you managed it to get it worked like that?
wrote on Dec 21, 2023, 6:18 AM last edited by@imc67 No, as I don’t know how to avoid duplicates in the database - I don’t want to fill up a database with a hard entry limit with nonsense
-
@imc67 No, as I don’t know how to avoid duplicates in the database - I don’t want to fill up a database with a hard entry limit with nonsense
translatorwrote on Dec 24, 2023, 2:32 PM last edited by imc67 Dec 24, 2023, 2:33 PM@necrevistonnezr I gave it a try with some help by ChatGPT and it works flawless!! Except the API can't handle large list where the GUI is able to handle without an issue.
The script automatically downloads all the geo lists in an array, creates a copy/paste file for the GUI and then prepares the file in JSON style and connect/upload via API.
When I choose only a few countries is works perfect, however when choosing all the desired ones:
@girish @nebulon I get a
line 83: /usr/bin/curl: Argument list too longI can copy/paste the full list in the GUI, it takes some time but it uploads and settles all IP ranges (about 87k)
Does anyone know how to do this via the API?
-
@necrevistonnezr I gave it a try with some help by ChatGPT and it works flawless!! Except the API can't handle large list where the GUI is able to handle without an issue.
The script automatically downloads all the geo lists in an array, creates a copy/paste file for the GUI and then prepares the file in JSON style and connect/upload via API.
When I choose only a few countries is works perfect, however when choosing all the desired ones:
@girish @nebulon I get a
line 83: /usr/bin/curl: Argument list too longI can copy/paste the full list in the GUI, it takes some time but it uploads and settles all IP ranges (about 87k)
Does anyone know how to do this via the API?
wrote on Dec 24, 2023, 6:45 PM last edited by@imc67 Since it works from the browser, you should be able to inspect the API calls in the browser console.
-
@necrevistonnezr I gave it a try with some help by ChatGPT and it works flawless!! Except the API can't handle large list where the GUI is able to handle without an issue.
The script automatically downloads all the geo lists in an array, creates a copy/paste file for the GUI and then prepares the file in JSON style and connect/upload via API.
When I choose only a few countries is works perfect, however when choosing all the desired ones:
@girish @nebulon I get a
line 83: /usr/bin/curl: Argument list too longI can copy/paste the full list in the GUI, it takes some time but it uploads and settles all IP ranges (about 87k)
Does anyone know how to do this via the API?
@imc67 said in Firewall / Spamassassin: Automatic list update:
@girish @nebulon I get a line 83: /usr/bin/curl: Argument list too long
this is related to
curl. I don't know the answer but you can look for posts similar to https://stackoverflow.com/questions/54090784/curl-argument-list-too-long where you have to pass the args as a file instead of on the command line itself. -
@imc67 said in Firewall / Spamassassin: Automatic list update:
@girish @nebulon I get a line 83: /usr/bin/curl: Argument list too long
this is related to
curl. I don't know the answer but you can look for posts similar to https://stackoverflow.com/questions/54090784/curl-argument-list-too-long where you have to pass the args as a file instead of on the command line itself.@girish said in Firewall / Spamassassin: Automatic list update:
https://stackoverflow.com/questions/54090784/curl-argument-list-too-long
I tried that in the beginning but got this error:
{ "status": "Bad Request", "message": "blocklist must be a string" }
