From patchwork Mon Nov 25 20:13:04 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
X-Patchwork-Id: 2608
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 47MJCV3zGyz43WL
	for <patchwork@web04.haj.ipfire.org>; Mon, 25 Nov 2019 20:14:14 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 47MJCS376Lz2MD;
	Mon, 25 Nov 2019 20:14:12 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 47MJCS1VNqz2yYg;
	Mon, 25 Nov 2019 20:14:12 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384)
 client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 47MJCR19n8z2y3Y
 for <development@lists.ipfire.org>; Mon, 25 Nov 2019 20:14:11 +0000 (UTC)
Received: from smtp.hosts.co.uk (smtp.hosts.co.uk [85.233.160.19])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPS id 47MJCP3ms3z2Pr
 for <development@lists.ipfire.org>; Mon, 25 Nov 2019 20:14:09 +0000 (UTC)
Received: from [95.149.142.227] (helo=aragorn.tfitzgeorge.me.uk)
 by smtp.hosts.co.uk with esmtpa (Exim)
 (envelope-from <ipfr@tfitzgeorge.me.uk>)
 id 1iZKkD-0000EB-3L; Mon, 25 Nov 2019 20:14:02 +0000
From: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
To: development@lists.ipfire.org
Subject: [PATCH 0/5] ipblacklist: IP Address Blacklists
Date: Mon, 25 Nov 2019 20:13:04 +0000
Message-Id: <20191125201309.10840-1-ipfr@tfitzgeorge.me.uk>
X-Mailer: git-send-email 2.16.4
Authentication-Results: mail01.ipfire.org; dkim=none; dmarc=none;
 spf=pass (mail01.ipfire.org: domain of ipfr@tfitzgeorge.me.uk designates
 85.233.160.19 as permitted sender) smtp.mailfrom=ipfr@tfitzgeorge.me.uk
X-Rspamd-Queue-Id: 47MJCP3ms3z2Pr
X-Spamd-Result: default: False [-2.41 / 11.00]; RCVD_TLS_LAST(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 RECEIVED_SPAMHAUS_PBL(0.00)[95.149.142.227:received];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 RWL_MAILSPIKE_GOOD(0.00)[85.233.160.19:from];
 R_SPF_ALLOW(-0.20)[+ip4:85.233.160.0/27];
 MIME_GOOD(-0.10)[text/plain];
 SENDER_REP_HAM(0.00)[asn: 8622(0.00), country: GB(-0.01), ip:
 85.233.160.19(0.00)]; ARC_NA(0.00)[];
 DMARC_NA(0.00)[tfitzgeorge.me.uk];
 TO_MATCH_ENVRCPT_SOME(0.00)[];
 MX_GOOD(-0.01)[mx1.ukservers.net]; RCPT_COUNT_TWO(0.00)[2];
 MID_CONTAINS_FROM(1.00)[]; FROM_EQ_ENVFROM(0.00)[];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:8622, ipnet:85.233.160.0/19, country:GB];
 RCVD_COUNT_TWO(0.00)[2]; BAYES_HAM(-3.00)[99.99%];
 RCVD_IN_DNSWL_LOW(-0.10)[85.233.160.19:from]
X-Rspamd-Server: mail01.haj.ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Implements downloading of IP address blacklists and implementing
them as IPSets.  A separate IPSet is used for each blacklist; this
simplifies handling of overlaps between different lists.  Traffic
to or from the red0/ppp0 interface is checked against the IPSets.
The check is placed before the IPS check as the IPSet check is
much lighter on CPU use which means that overall CPU use is
reduced.

The available lists are defined in a separate file.  A WUI page
allows the desired lists to be enabled and the interval between
checks for updates to be defined.  A minimum update check interval
is defined for each blacklist in the definition file.

Optionally, an automatically updating blacklist can be enabled.
This adds addresses to an IPSet if the rate of packets dropped by
the default red0/ppp0 input policy exceeds a user defined threshold.
The addresses are kept in the IPSet until a user defined period
without packets from the blocked address has passed.

Tim FitzGeorge (5):
  ipblacklist: Main script
  ipblacklist: WUI and language file
  ipblacklist: Ancillary files
  ipblacklist: Modifications to system
  ipblacklist: Build infrastructure

 config/backup/backup.pl                     |    1 +
 config/backup/include                       |    2 +
 config/firewall/firewall-policy             |    5 +
 config/ipblacklist/sources                  |  151 +++
 config/logwatch/ipblacklist                 |  103 ++
 config/logwatch/ipblacklist.conf            |   34 +
 config/menu/50-firewall.menu                |    5 +
 config/rootfiles/common/aarch64/stage2      |    1 +
 config/rootfiles/common/configroot          |    2 +
 config/rootfiles/common/ipblacklist-sources |    1 +
 config/rootfiles/common/logwatch            |    2 +
 config/rootfiles/common/misc-progs          |    2 +
 config/rootfiles/common/stage2              |    1 +
 config/rootfiles/common/web-user-interface  |    1 +
 config/rootfiles/common/x86_64/stage2       |    1 +
 html/cgi-bin/ipblacklist.cgi                |  725 +++++++++++++
 html/cgi-bin/logs.cgi/log.dat               |    2 +
 langs/en/cgi-bin/en.pl                      |   31 +
 lfs/configroot                              |    4 +-
 lfs/ipblacklist-sources                     |   53 +
 lfs/logwatch                                |    2 +
 make.sh                                     |   11 +-
 src/initscripts/system/firewall             |   20 +
 src/misc-progs/Makefile                     |    2 +-
 src/misc-progs/getipsetstat.c               |   28 +
 src/misc-progs/ipblacklistctrl.c            |   52 +
 src/scripts/ipblacklist                     | 1558 +++++++++++++++++++++++++++
 27 files changed, 2792 insertions(+), 8 deletions(-)
 create mode 100644 config/ipblacklist/sources
 create mode 100644 config/logwatch/ipblacklist
 create mode 100644 config/logwatch/ipblacklist.conf
 create mode 100644 config/rootfiles/common/ipblacklist-sources
 create mode 100644 html/cgi-bin/ipblacklist.cgi
 create mode 100644 lfs/ipblacklist-sources
 create mode 100644 src/misc-progs/getipsetstat.c
 create mode 100644 src/misc-progs/ipblacklistctrl.c
 create mode 100755 src/scripts/ipblacklist