Menu
▾
▴
astlinux-users — AstLinux Users Mailing List
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
(20) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(91) |
Feb
(111) |
Mar
(226) |
Apr
(65) |
May
(197) |
Jun
(202) |
Jul
(92) |
Aug
(87) |
Sep
(120) |
Oct
(133) |
Nov
(89) |
Dec
(155) |
| 2008 |
Jan
(251) |
Feb
(136) |
Mar
(174) |
Apr
(149) |
May
(56) |
Jun
(32) |
Jul
(36) |
Aug
(171) |
Sep
(245) |
Oct
(244) |
Nov
(218) |
Dec
(272) |
| 2009 |
Jan
(113) |
Feb
(119) |
Mar
(192) |
Apr
(117) |
May
(93) |
Jun
(46) |
Jul
(80) |
Aug
(54) |
Sep
(109) |
Oct
(70) |
Nov
(145) |
Dec
(110) |
| 2010 |
Jan
(137) |
Feb
(87) |
Mar
(45) |
Apr
(157) |
May
(58) |
Jun
(99) |
Jul
(188) |
Aug
(136) |
Sep
(101) |
Oct
(100) |
Nov
(61) |
Dec
(60) |
| 2011 |
Jan
(84) |
Feb
(43) |
Mar
(70) |
Apr
(17) |
May
(69) |
Jun
(28) |
Jul
(43) |
Aug
(21) |
Sep
(151) |
Oct
(120) |
Nov
(84) |
Dec
(101) |
| 2012 |
Jan
(119) |
Feb
(82) |
Mar
(70) |
Apr
(115) |
May
(66) |
Jun
(131) |
Jul
(70) |
Aug
(65) |
Sep
(66) |
Oct
(86) |
Nov
(197) |
Dec
(81) |
| 2013 |
Jan
(65) |
Feb
(48) |
Mar
(32) |
Apr
(68) |
May
(98) |
Jun
(59) |
Jul
(41) |
Aug
(52) |
Sep
(42) |
Oct
(37) |
Nov
(10) |
Dec
(27) |
| 2014 |
Jan
(61) |
Feb
(34) |
Mar
(30) |
Apr
(52) |
May
(45) |
Jun
(40) |
Jul
(28) |
Aug
(9) |
Sep
(39) |
Oct
(69) |
Nov
(55) |
Dec
(19) |
| 2015 |
Jan
(13) |
Feb
(21) |
Mar
(5) |
Apr
(14) |
May
(30) |
Jun
(51) |
Jul
(31) |
Aug
(12) |
Sep
(29) |
Oct
(15) |
Nov
(24) |
Dec
(16) |
| 2016 |
Jan
(62) |
Feb
(76) |
Mar
(30) |
Apr
(43) |
May
(46) |
Jun
(62) |
Jul
(21) |
Aug
(49) |
Sep
(67) |
Oct
(27) |
Nov
(26) |
Dec
(38) |
| 2017 |
Jan
(7) |
Feb
(12) |
Mar
(69) |
Apr
(59) |
May
(54) |
Jun
(40) |
Jul
(76) |
Aug
(82) |
Sep
(92) |
Oct
(51) |
Nov
(32) |
Dec
(30) |
| 2018 |
Jan
(22) |
Feb
(25) |
Mar
(34) |
Apr
(35) |
May
(37) |
Jun
(21) |
Jul
(69) |
Aug
(55) |
Sep
(17) |
Oct
(67) |
Nov
(9) |
Dec
(5) |
| 2019 |
Jan
(19) |
Feb
(12) |
Mar
(15) |
Apr
(19) |
May
|
Jun
(27) |
Jul
(27) |
Aug
(25) |
Sep
(25) |
Oct
(27) |
Nov
(10) |
Dec
(14) |
| 2020 |
Jan
(22) |
Feb
(20) |
Mar
(36) |
Apr
(40) |
May
(52) |
Jun
(35) |
Jul
(21) |
Aug
(32) |
Sep
(71) |
Oct
(27) |
Nov
(11) |
Dec
(16) |
| 2021 |
Jan
(16) |
Feb
(21) |
Mar
(21) |
Apr
(27) |
May
(17) |
Jun
|
Jul
(2) |
Aug
(22) |
Sep
(23) |
Oct
(7) |
Nov
(11) |
Dec
(28) |
| 2022 |
Jan
(23) |
Feb
(18) |
Mar
(9) |
Apr
(15) |
May
(15) |
Jun
(7) |
Jul
(8) |
Aug
(15) |
Sep
(1) |
Oct
|
Nov
(11) |
Dec
(10) |
| 2023 |
Jan
(14) |
Feb
(10) |
Mar
(11) |
Apr
(13) |
May
(2) |
Jun
(30) |
Jul
(1) |
Aug
(15) |
Sep
(13) |
Oct
(3) |
Nov
(25) |
Dec
(5) |
| 2024 |
Jan
(3) |
Feb
(10) |
Mar
(9) |
Apr
|
May
(1) |
Jun
(15) |
Jul
(7) |
Aug
(10) |
Sep
(3) |
Oct
(8) |
Nov
(6) |
Dec
(15) |
| 2025 |
Jan
(3) |
Feb
(1) |
Mar
(7) |
Apr
(5) |
May
(13) |
Jun
(16) |
Jul
(1) |
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Lonnie A. <li...@lo...> - 2019-09-11 13:09:51
|
Hi Michael, I use the firewall dyndns-host-open plugin all the time and it has never failed me. Look close for a typo in your dyndns-host-open.conf, also note it takes about 45 seconds after the firewall is loaded before the initial rule is added. BTW, a general way to look at your dyndns-host-open status: pbx # arno-iptables-firewall status-plugins dyndns-host-open Also, another level of debugging, use: pbx # arno-iptables-firewall restart and look for the line: -- Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins... -- and see if the "DynDNS Host Open plugin" looks good. Lastly, on the box in question, issue from the CLI: pbx # host zabbix.ipcsolutions.com.au to make sure the DNS is working properly on that box. Lonnie > On Sep 11, 2019, at 2:07 AM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > I'm trying to get this plugin working and it is just not playing the game at a couple of my sites. > > dyndns-host-open.conf > ENABLED=1 > DYNDNS_UPDATE_TIME=900 > DYNDNS_HOST_OPEN_TCP="zabbix.ipcsolutions.com.au~10050" > DYNDNS_HOST_OPEN_UDP="" > DYNDNS_HOST_OPEN_IP="" > DYNDNS_HOST_OPEN_ICMP="" > > At one site, it just wont put in the rule in iptables: > # arno-iptables-firewall status | grep 10050 > > No output > > At another site it does: > # arno-iptables-firewall status | grep 10050 > 28 1680 ACCEPT tcp -- * * <address hidden> 0.0.0.0/0 tcp dpt:10050 > ACCEPT tcp -- <address hidden> 0.0.0.0/0 tcp dpt:10050 > > I can go back to putting in an IP Address in the firewall but I will probably be changing the server later and it will be a pain to reconfigure all my sites. > But I'm getting close to giving up on it. > > Regards > Michael Knill > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-09-11 07:07:57
|
Hi Group I'm trying to get this plugin working and it is just not playing the game at a couple of my sites. dyndns-host-open.conf ENABLED=1 DYNDNS_UPDATE_TIME=900 DYNDNS_HOST_OPEN_TCP="zabbix.ipcsolutions.com.au~10050" DYNDNS_HOST_OPEN_UDP="" DYNDNS_HOST_OPEN_IP="" DYNDNS_HOST_OPEN_ICMP="" At one site, it just wont put in the rule in iptables: # arno-iptables-firewall status | grep 10050 > No output At another site it does: # arno-iptables-firewall status | grep 10050 28 1680 ACCEPT tcp -- * * <address hidden> 0.0.0.0/0 tcp dpt:10050 ACCEPT tcp -- <address hidden> 0.0.0.0/0 tcp dpt:10050 I can go back to putting in an IP Address in the firewall but I will probably be changing the server later and it will be a pain to reconfigure all my sites. But I'm getting close to giving up on it. Regards Michael Knill |
|
From: Lonnie A. <li...@lo...> - 2019-09-09 22:31:48
|
Hi Michael,
OK, that is best done via custom rules in "/mnt/kd/arno-iptables-firewall/custom-rules".
For this example WireGuard LAN->Local will drop all traffic except SSH.
-- /mnt/kd/arno-iptables-firewall/custom-rules --
# Put any custom (iptables) rules here down below:
##################################################
custom_wg_lan_input()
{
local wg_if
wg_if="${WIREGUARD_IF:-wg0}"
echo "[CUSTOM RULE] Custom WireGuard LAN->Local"
iptables -A INT_INPUT_CHAIN -i $wg_if -p tcp --dport 22 -j ACCEPT
iptables -A INT_INPUT_CHAIN -i $wg_if -j DROP
}
custom_wg_lan_input
--
apply changes...
pbx # arno-iptables-firewall restart
test new rules with...
pbx # iptables -nvL INT_INPUT_CHAIN
Chain INT_INPUT_CHAIN (3 references)
pkts bytes target prot opt in out source destination
1 60 ACCEPT tcp -- wg0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
3 180 DROP all -- wg0 * 0.0.0.0/0 0.0.0.0/0
...
and for IPv6...
pbx # ip6tables -nvL INT_INPUT_CHAIN
Chain INT_INPUT_CHAIN (3 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp wg0 * ::/0 ::/0 tcp dpt:22
0 0 DROP all wg0 * ::/0 ::/0
...
Since the default LAN->Local policy is ACCEPT we need to use DROP to block all for wg0.
As always, test the firewall rule changes to make sure it works as expected.
Lonnie
> On Sep 9, 2019, at 3:17 PM, Michael Knill <mic...@ip...> wrote:
>
> Hi sorry Lonnie, I didn't explain it well enough.
>
> I want to provide different access to Local from a physical LAN than the wg0 interface.
> For instance I want to open TCP443, my SSH Port and possibly other ports from the physical LAN but open my SSH Port only from wg0.
>
> I could do it based on the Source IP however as there is only Deny LAN->Local rules possible, I'm not sure how I could just open a single port and deny all the rest?
>
> Regards
> Michael Knill
>
> On 9/9/19, 11:05 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>
> I don't understand what you are asking, but the default isolated wg0 interface can be allowed to access physical LAN interfaces with:
>
> _x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s)
>
> And LAN's can access Local by default.
>
> Lonnie
>
>
>
>> On Sep 8, 2019, at 10:57 PM, Michael Knill <mic...@ip...> wrote:
>>
>> Thanks Lonnie.
>>
>> Just wondering how I could use Deny LAN->Local when I actually want to allow onsite local LAN traffic to access the system admin interface?
>> I really need a Pass LAN->Local to do this!
>>
>> Regards
>> Michael Knill
>>
>> On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>>
>>
>>
>>> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote:
>>>
>>> Hi Group
>>>
>>> I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway.
>>> As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others.
>>>
>>> With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently.
>>>
>>> Is it easy to do?
>>>
>>> Regards
>>> Michael Knill
>>
>> If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard.
>>
>> As such, only allow remote user access to the management VPN via a WireGuard tunnel.
>>
>> But, if you want to filter SSH from wg0 to the local device by source IP address, try
>>
>> Firewall Rules:
>> Action: [ Deny LAN->Local ]
>>
>> keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet.
>>
>> Lonnie
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Michael K. <mic...@ip...> - 2019-09-09 20:17:24
|
Hi sorry Lonnie, I didn't explain it well enough.
I want to provide different access to Local from a physical LAN than the wg0 interface.
For instance I want to open TCP443, my SSH Port and possibly other ports from the physical LAN but open my SSH Port only from wg0.
I could do it based on the Source IP however as there is only Deny LAN->Local rules possible, I'm not sure how I could just open a single port and deny all the rest?
Regards
Michael Knill
On 9/9/19, 11:05 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
I don't understand what you are asking, but the default isolated wg0 interface can be allowed to access physical LAN interfaces with:
_x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s)
And LAN's can access Local by default.
Lonnie
> On Sep 8, 2019, at 10:57 PM, Michael Knill <mic...@ip...> wrote:
>
> Thanks Lonnie.
>
> Just wondering how I could use Deny LAN->Local when I actually want to allow onsite local LAN traffic to access the system admin interface?
> I really need a Pass LAN->Local to do this!
>
> Regards
> Michael Knill
>
> On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>
>
>
>> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote:
>>
>> Hi Group
>>
>> I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway.
>> As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others.
>>
>> With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently.
>>
>> Is it easy to do?
>>
>> Regards
>> Michael Knill
>
> If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard.
>
> As such, only allow remote user access to the management VPN via a WireGuard tunnel.
>
> But, if you want to filter SSH from wg0 to the local device by source IP address, try
>
> Firewall Rules:
> Action: [ Deny LAN->Local ]
>
> keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet.
>
> Lonnie
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2019-09-09 13:04:46
|
I don't understand what you are asking, but the default isolated wg0 interface can be allowed to access physical LAN interfaces with: _x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s) And LAN's can access Local by default. Lonnie > On Sep 8, 2019, at 10:57 PM, Michael Knill <mic...@ip...> wrote: > > Thanks Lonnie. > > Just wondering how I could use Deny LAN->Local when I actually want to allow onsite local LAN traffic to access the system admin interface? > I really need a Pass LAN->Local to do this! > > Regards > Michael Knill > > On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lo...> wrote: > > > >> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote: >> >> Hi Group >> >> I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway. >> As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others. >> >> With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently. >> >> Is it easy to do? >> >> Regards >> Michael Knill > > If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard. > > As such, only allow remote user access to the management VPN via a WireGuard tunnel. > > But, if you want to filter SSH from wg0 to the local device by source IP address, try > > Firewall Rules: > Action: [ Deny LAN->Local ] > > keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet. > > Lonnie > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-09-09 03:58:12
|
Thanks Lonnie.
Just wondering how I could use Deny LAN->Local when I actually want to allow onsite local LAN traffic to access the system admin interface?
I really need a Pass LAN->Local to do this!
Regards
Michael Knill
On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote:
>
> Hi Group
>
> I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway.
> As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others.
>
> With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently.
>
> Is it easy to do?
>
> Regards
> Michael Knill
If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard.
As such, only allow remote user access to the management VPN via a WireGuard tunnel.
But, if you want to filter SSH from wg0 to the local device by source IP address, try
Firewall Rules:
Action: [ Deny LAN->Local ]
keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet.
Lonnie
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2019-09-09 03:10:47
|
> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway. > As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others. > > With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently. > > Is it easy to do? > > Regards > Michael Knill If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard. As such, only allow remote user access to the management VPN via a WireGuard tunnel. But, if you want to filter SSH from wg0 to the local device by source IP address, try Firewall Rules: Action: [ Deny LAN->Local ] keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet. Lonnie |
|
From: Michael K. <mic...@ip...> - 2019-09-09 01:47:02
|
Hi Group I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway. As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others. With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently. Is it easy to do? Regards Michael Knill |
|
From: Michael K. <mic...@ip...> - 2019-09-07 23:02:42
|
Thanks Lonnie for the info. Very helpful. I'm a big fan too which is why I asked the question.
After weighing up the pros and cons, I think that I'm going to start using it.
In not concerned from a security perspective as its all unclassified traffic anyway already running over the public internet.
And I have done enough testing that I feel quite comfortable with its stability.
The worst case scenario is that if I do have problems, I just need to move the sites over to another VPN technology which would not affect the overall architecture of the solution very much.
Thanks all.
Regards
Michael Knill
On 8/9/19, 12:01 am, "Lonnie Abelbeck" <li...@lo...> wrote:
> On Sep 7, 2019, at 3:25 AM, Michael Knill <mic...@ip...> wrote:
>
> Hi Group
>
> In previous discussions I hinted on wanting to build a full telephony network with softswitch and with our significant growth in the last couple of months, I believe the time has come to kick it off.
> The problem is that although I have had zero issues with Wireguard and its perfect for what I need, its not classified as stable and I'm just concerned about using it in production (even though I already am!). OpenVPN is nice and stable but the failover time is just not as good and it's a dog to set up.
>
> So just wondering what other people think?
> I looking at 100+ sites terminating onto a Softswitch.
>
> Regards
> Michael Knill
As you know I'm a big fan of WireGuard, and in fact is the only VPN I use anymore, but I will not suggest to make such an important design decision for your business, only my opinion.
Here is the current status on the various WireGuard repos:
https://www.wireguard.com/repositories/
The Linux kernel repo is noted as "Complete" (completes its goal mostly and is actively maintained).
From what I read [1], WireGuard would be in the mainline Linux Kernel by now if it weren't for the internal squabbling on how to organize a new "zinc" crypto library WireGuard uses which supersedes some older crypto libraries in the kernel. If not for that, the WireGuard tunnel part would have been in the Linux kernel (officially) for some time now. Hopefully the crypto squabbling will get resolved soon. Linus likes WireGuard.
WireGuard, OpenVPN and IPsec/NAT-Traversal all provide a VPN tunnel over UDP, but the simplicity and efficiency of WireGuard in the Linux kernel stands out over the others.
But, also keep in mind that AstLinux's seamless "WireGuard Reload" for adding/removing/updating peers is in Jason's repo [2], but has not yet been merged to WG's master (AstLinux includes it as a patch [3]) ... though this is only a tweak to the "wg" tool and not to the kernel module.
Lonnie
[1] https://lkml.org/lkml/2019/3/25/443
[2] https://git.zx2c4.com/WireGuard/commit/?h=jd/syncconf
[3] https://github.com/astlinux-project/astlinux/blob/master/package/wireguard/wireguard-0900-syncconf.patch
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: The C. K. <eld...@ya...> - 2019-09-07 14:40:41
|
we have kept it simple in that regard.. we use IPSEC tunnels from our linked sites to the Host for Hosted systems and L2TP client to the site for prem systems where they hasve remote teleworkers.. (the remote teleworker receives a MikroTik router ) which connects to the site..
NAT issues arent an issue on asterisk as long as we add the localnet for each of the tunnels..
i havent yet tried wireguard.. ive been reading about it... I need to give it a whirl.-Christopher
On Saturday, September 7, 2019, 10:01:44 AM EDT, Lonnie Abelbeck <li...@lo...> wrote:
> On Sep 7, 2019, at 3:25 AM, Michael Knill <mic...@ip...> wrote:
>
> Hi Group
>
> In previous discussions I hinted on wanting to build a full telephony network with softswitch and with our significant growth in the last couple of months, I believe the time has come to kick it off.
> The problem is that although I have had zero issues with Wireguard and its perfect for what I need, its not classified as stable and I'm just concerned about using it in production (even though I already am!). OpenVPN is nice and stable but the failover time is just not as good and it's a dog to set up.
>
> So just wondering what other people think?
> I looking at 100+ sites terminating onto a Softswitch.
>
> Regards
> Michael Knill
As you know I'm a big fan of WireGuard, and in fact is the only VPN I use anymore, but I will not suggest to make such an important design decision for your business, only my opinion.
Here is the current status on the various WireGuard repos:
https://www.wireguard.com/repositories/
The Linux kernel repo is noted as "Complete" (completes its goal mostly and is actively maintained).
>From what I read [1], WireGuard would be in the mainline Linux Kernel by now if it weren't for the internal squabbling on how to organize a new "zinc" crypto library WireGuard uses which supersedes some older crypto libraries in the kernel. If not for that, the WireGuard tunnel part would have been in the Linux kernel (officially) for some time now. Hopefully the crypto squabbling will get resolved soon. Linus likes WireGuard.
WireGuard, OpenVPN and IPsec/NAT-Traversal all provide a VPN tunnel over UDP, but the simplicity and efficiency of WireGuard in the Linux kernel stands out over the others.
But, also keep in mind that AstLinux's seamless "WireGuard Reload" for adding/removing/updating peers is in Jason's repo [2], but has not yet been merged to WG's master (AstLinux includes it as a patch [3]) ... though this is only a tweak to the "wg" tool and not to the kernel module.
Lonnie
[1] https://lkml.org/lkml/2019/3/25/443
[2] https://git.zx2c4.com/WireGuard/commit/?h=jd/syncconf
[3] https://github.com/astlinux-project/astlinux/blob/master/package/wireguard/wireguard-0900-syncconf.patch
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2019-09-07 14:01:21
|
> On Sep 7, 2019, at 3:25 AM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > In previous discussions I hinted on wanting to build a full telephony network with softswitch and with our significant growth in the last couple of months, I believe the time has come to kick it off. > The problem is that although I have had zero issues with Wireguard and its perfect for what I need, its not classified as stable and I'm just concerned about using it in production (even though I already am!). OpenVPN is nice and stable but the failover time is just not as good and it's a dog to set up. > > So just wondering what other people think? > I looking at 100+ sites terminating onto a Softswitch. > > Regards > Michael Knill As you know I'm a big fan of WireGuard, and in fact is the only VPN I use anymore, but I will not suggest to make such an important design decision for your business, only my opinion. Here is the current status on the various WireGuard repos: https://www.wireguard.com/repositories/ The Linux kernel repo is noted as "Complete" (completes its goal mostly and is actively maintained). From what I read [1], WireGuard would be in the mainline Linux Kernel by now if it weren't for the internal squabbling on how to organize a new "zinc" crypto library WireGuard uses which supersedes some older crypto libraries in the kernel. If not for that, the WireGuard tunnel part would have been in the Linux kernel (officially) for some time now. Hopefully the crypto squabbling will get resolved soon. Linus likes WireGuard. WireGuard, OpenVPN and IPsec/NAT-Traversal all provide a VPN tunnel over UDP, but the simplicity and efficiency of WireGuard in the Linux kernel stands out over the others. But, also keep in mind that AstLinux's seamless "WireGuard Reload" for adding/removing/updating peers is in Jason's repo [2], but has not yet been merged to WG's master (AstLinux includes it as a patch [3]) ... though this is only a tweak to the "wg" tool and not to the kernel module. Lonnie [1] https://lkml.org/lkml/2019/3/25/443 [2] https://git.zx2c4.com/WireGuard/commit/?h=jd/syncconf [3] https://github.com/astlinux-project/astlinux/blob/master/package/wireguard/wireguard-0900-syncconf.patch |
|
From: Michael K. <mic...@ip...> - 2019-09-07 08:26:03
|
Hi Group In previous discussions I hinted on wanting to build a full telephony network with softswitch and with our significant growth in the last couple of months, I believe the time has come to kick it off. The problem is that although I have had zero issues with Wireguard and its perfect for what I need, its not classified as stable and I'm just concerned about using it in production (even though I already am!). OpenVPN is nice and stable but the failover time is just not as good and it's a dog to set up. So just wondering what other people think? I looking at 100+ sites terminating onto a Softswitch. Regards Michael Knill |
|
From: David K. <da...@ke...> - 2019-09-01 23:27:02
|
So I did a quick search and it seems like my first use of Astlinux dates to around 2008. I also started with a PC Engines WRAP board. I must credit Astlinux for keeping me from getting rusty, having moved into a management role I did less and less programming work. I learned Bash, Perl, PHP, iptables, CSS, the many intricacies of Linux and in recent times github all on the back of my interest in Astlinux so I am very grateful to the support everyone in the Astlinux community provides. All I do with it is "run my household" but I simply cannot imaging going back to an of-the-shelf network gateway. My thanks and congratulations to all. David On Sun, Sep 1, 2019 at 4:13 PM Michael Knill < mic...@ip...> wrote: > Happy birthday Astlinux! > > I started with Astlinux on a PC Engines WRAP in 2006 I believe using 0.4 > (I found a post). > > I moved away from Astlinux for a little while but saw the error of my ways > and now it's the core of my business. > > > > Regards > > Michael Knill > > > > *From: *Lonnie Abelbeck <li...@lo...> > *Reply to: *AstLinux List <ast...@li...> > *Date: *Monday, 2 September 2019 at 1:40 am > *To: *AstLinux List <ast...@li...> > *Subject: *[Astlinux-users] AstLinux is 15 years old! > > > > Happy Birthday to AstLinux, which is 15 years old this month! > > > > AstLinux History: > > https://www.astlinux-project.org/about.html > > > > Personally I started using AstLinux 0.2.x about 6 months later, > Darrick Hartman jumped in around the same time. > > > > My first AstLinux hardware was a Soekris net4801 (233 Mhz i586, 128 MB > RAM) using a SIP/IAX VoIP provider. > > > > I still have my net4801, so for giggles I tried the latest development > (pre-1.3.7) AstLinux (geni586-serial) ... It still works! Albeit slow at > times :-) > > > > > > Thanks the the "Wayback Machine" (COX website) this was my 'High Speed > Internet' in September 2004 ... > > > > > > :-) > > > > > > Lonnie > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-09-01 20:12:56
|
Happy birthday Astlinux! I started with Astlinux on a PC Engines WRAP in 2006 I believe using 0.4 (I found a post). I moved away from Astlinux for a little while but saw the error of my ways and now it's the core of my business. Regards Michael Knill From: Lonnie Abelbeck <li...@lo...> Reply to: AstLinux List <ast...@li...> Date: Monday, 2 September 2019 at 1:40 am To: AstLinux List <ast...@li...> Subject: [Astlinux-users] AstLinux is 15 years old! Happy Birthday to AstLinux, which is 15 years old this month! AstLinux History: https://www.astlinux-project.org/about.html Personally I started using AstLinux 0.2.x about 6 months later, Darrick Hartman jumped in around the same time. My first AstLinux hardware was a Soekris net4801 (233 Mhz i586, 128 MB RAM) using a SIP/IAX VoIP provider. I still have my net4801, so for giggles I tried the latest development (pre-1.3.7) AstLinux (geni586-serial) ... It still works! Albeit slow at times :-) Thanks the the "Wayback Machine" (COX website) this was my 'High Speed Internet' in September 2004 ... [cid:image001.gif@01D56155.6DA964B0] :-) Lonnie |
|
From: Michael K. <li...@mk...> - 2019-09-01 16:22:21
|
> Am 01.09.2019 um 17:40 schrieb Lonnie Abelbeck <li...@lo...>: > > Happy Birthday to AstLinux, which is 15 years old this month! > > AstLinux History: > https://www.astlinux-project.org/about.html > > Personally I started using AstLinux 0.2.x about 6 months later, Darrick Hartman jumped in around the same time. > > My first AstLinux hardware was a Soekris net4801 (233 Mhz i586, 128 MB RAM) using a SIP/IAX VoIP provider. > > I still have my net4801, so for giggles I tried the latest development (pre-1.3.7) AstLinux (geni586-serial) ... It still works! Albeit slow at times :-) > > > Thanks the the "Wayback Machine" (COX website) this was my 'High Speed Internet' in September 2004 ... > > <Unspeed.gif> > > :-) > > > Lonnie This is a nice birthday. How time flies. I think I started with AstLinux 0.4.5 in April 2007 also with a Soekris net4801 with a ISDN PCI card. Michael http://www.mksolutions.info |
|
From: The C. K. <eld...@ya...> - 2019-09-01 16:12:55
|
I think I started using astlinux somewhere around the 0.28 or so builds.. it was real close to the beginning.. I had played with asterisk since about 02 or 03 around there.. my first astlinux was on a Net4801 board also.. that board later became a MikroTik Router in my office until its flash-card bit the dust, defaulted the router and the LAN port Proxy-ARPed every device...
I used astlimux extensively through about 2010 then forked off into a "beat-up" minimal centos distro on NET5501, later APU, and full servers and VMs.. so I could use some packages i couldnt get to compile at the time on astlinux.. I still love it and like to mess around with it.. astlinux is a joy to use now for sure.. though I wont switch my business back to it just because of the curve to do so..
totally wierd how this comes up and a failed flash card in a production NET5501 is the project of the holiday weekend.. a site went down.. that box is about 7 years old...
congrats to the designers and maintainers of astlinux as it really is the best go-to small platform asterisk specific distro..
On Sunday, September 1, 2019, 11:40:41 AM EDT, Lonnie Abelbeck <li...@lo...> wrote:
Happy Birthday to AstLinux, which is 15 years old this month!
AstLinux History:https://www.astlinux-project.org/about.html
Personally I started using AstLinux 0.2.x about 6 months later, Darrick Hartman jumped in around the same time.
My first AstLinux hardware was a Soekris net4801 (233 Mhz i586, 128 MB RAM) using a SIP/IAX VoIP provider.
I still have my net4801, so for giggles I tried the latest development (pre-1.3.7) AstLinux (geni586-serial) ... It still works! Albeit slow at times :-)
Thanks the the "Wayback Machine" (COX website) this was my 'High Speed Internet' in September 2004 ...
:-)
Lonnie
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2019-09-01 15:40:16
|
Happy Birthday to AstLinux, which is 15 years old this month! AstLinux History: https://www.astlinux-project.org/about.html Personally I started using AstLinux 0.2.x about 6 months later, Darrick Hartman jumped in around the same time. My first AstLinux hardware was a Soekris net4801 (233 Mhz i586, 128 MB RAM) using a SIP/IAX VoIP provider. I still have my net4801, so for giggles I tried the latest development (pre-1.3.7) AstLinux (geni586-serial) ... It still works! Albeit slow at times :-) Thanks the the "Wayback Machine" (COX website) this was my 'High Speed Internet' in September 2004 ... :-) Lonnie |
|
From: Lonnie A. <li...@lo...> - 2019-08-26 15:08:59
|
Announcing Pre-Release Version: astlinux-1.3-4333-55ad13
The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own.
-- Asterisk 13.23.1 ('13se' version)
Older than latest Asterisk 13.x version but more tested, built --without-pjproject
Add json-integer-overflow patches.
Add security patches for: AST-2019-002, AST-2019-003
-- Asterisk 13.28.0 (version bump) and 16.5.0 (version bump)
New modules: app_attended_transfer.so, app_blind_transfer.so
-- OpenSSL, major version bump to 1.1.1c, the new LTS series. The previous 1.0.2 LTS series is EOL at the end of 2019.
Many packages needed version bumps or patches to be compatible with the new OpenSSL 1.1 API.
-- php, major version bump to 7.2.21, adds OpenSSL 1.1 compatibility
-- Web Interface Edit tab, add support for CodeMirror text editing.
(Tip: Shift-Reload browser to get the updated CSS style sheet)
Keyboard Actions: (after clicking text edit area)
Note: Windows users, use Ctrl instead of Cmd
Cmd-f -> Find
Cmd-g -> Find Next
Cmd-/ -> Toggle Comment
Cmd-. -> Toggle Comment
Tab -> Toggle between "fullscreen" (full-window) mode and normal
Esc -> Return to normal, "fullscreen" (full-window) mode off
More info: https://doc.astlinux-project.org/userdoc:tt_web_interface_edit_codemirror_key_map
-- Fossil, major version bump to 2.9, adds numerous enhancements to the look and feel of the web interface
-- arnofw (AIF), reload-blocklist-netset cron script, add new netset types
asterisk: Aggregate multiple Asterisk/SIP/VoIP blacklists, including blocklist_de_sip.
custom: Use variable BLOCKLIST_CUSTOM_URLS containing one or more (space/newline separated) URLs.
customv6: Use variable BLOCKLIST_CUSTOMV6_URLS containing one or more (space/newline separated) URLs.
More info: https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list#updating_netset_blocklists
-- iprange, version 1.0.4, new command, a tool capable of managing sets of IPs
-- WireGuard VPN, version bump to 0.0.20190702
-- Complete Pre-Release ChangeLog:
https://s3.amazonaws.com/beta.astlinux-project/astlinux-changelog/ChangeLog.txt
New Documentation Topics:
Edit tab w/CodeMirror Keyboard Mapping -
- https://doc.astlinux-project.org/userdoc:tt_web_interface_edit_codemirror_key_map
Updated Documentation Topics:
Firewall External Block List -
- https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list#updating_netset_blocklists
Web Interface Display Font -
- https://doc.astlinux-project.org/userdoc:tt_web_interface_font
The "AstLinux Pre-Release ChangeLog" and "Pre-Release Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ...
AstLinux Project -> Development
https://www.astlinux-project.org/dev.html
"Development" tab feature for desktop browsers:
Guest VM x86-64bit ISO: Download Pre-Release Guest VM Install ISO (Video Console)
AstLinux Team
|
|
From: Lonnie A. <li...@lo...> - 2019-08-23 16:08:58
|
> On Aug 23, 2019, at 10:53 AM, David Kerr <Da...@Ke...> wrote: > > Question on the UPS monitoring host. Can multiple remote devices login to the upsmon? I ask because the web interface lets me specify a single username/password, so do all devices login with the same uid/pw or do I need to edit a config file to add additional uid/pw for each device? > > Thanks > David Yes, multiple remote devices can login via upsmon to upsd, (I personally do that) -- server -- # upsc -c ups 10.10.50.62 10.10.10.16 ::1 -- As we have it setup, you would share a common UPS Username: / UPS Password: defined on the server web interface. Network UPS Server: [enabled] on the server. Lonnie |
|
From: David K. <da...@ke...> - 2019-08-23 15:54:00
|
Question on the UPS monitoring host. Can multiple remote devices login to the upsmon? I ask because the web interface lets me specify a single username/password, so do all devices login with the same uid/pw or do I need to edit a config file to add additional uid/pw for each device? Thanks David |
|
From: Michael K. <mic...@ip...> - 2019-08-21 03:17:32
|
Great that should make it very easy then to create both blacklists and whitelists.
Just need a way to get access to all the country lists.
Thanks
Regards
Michael Knill
On 21/8/19, 11:40 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Just to help document iprange ...
Below was an example where a.netset is manually created:
pbx4 ~ # iprange -v a.netset --exclude-next test.netset > block-all-except.netset
This is an alternate way to use stdin and a - (minus) as an placeholder
pbx4 ~ # echo "0.0.0.0/0" | iprange -v - --exclude-next test.netset > block-all-except.netset
--
iprange: Loading from stdin
iprange: Loaded optimized stdin
iprange: Loading from test.netset
iprange: Loaded optimized test.netset
iprange: Removing IPs in test.netset from stdin
iprange: Printing stdin with 5 ranges, 4294967292 unique IPs
--
and you can have multiple "--exclude-next fileN.netset" to subtract additional netsets.
A very powerful tool.
So, when the final result is used as a block-all-except.netset blocklist, the subtracted IP's will be not blocked, all the rest will be blocked.
Lonnie
> On Aug 20, 2019, at 3:57 PM, Lonnie Abelbeck <li...@lo...> wrote:
>
> On Aug 20, 2019, at 2:57 PM, Michael Knill <mic...@ip...> wrote:
>>
>> Thanks Lonnie. I'm learning __
>>
>> I noticed in the doco that you can 'match incoming and/or outgoing' traffic but I couldn't see where you actually specify this e.g. I just want incoming for instance
>> Just wondering if I am missing something?
>
> I don't think we have a web interface toggle for that, in your user.conf you can set:
> --
> BLOCK_HOSTS_BIDIRECTIONAL=0
> --
> and the AIF block hosts (Block All Traffic by Host/CIDR:) will only block on incoming. (be sure to test)
>
> But be careful, you then eliminate all outbound (Block All Traffic by Host/CIDR:) AIF block hosts filtering. If you can block one ransomware URL in an email, that is a feature best not turned off.
>
> And before you ask, no, there is no separate set of .netset files for outgoing and incoming :-)
>
>
> BTW, I have been playing with the "iprange" command, it is only 40 KB ... I'm thinking it is AstLinux worthy. I know Michael Keuter has suggested looking into it some time ago. So I now have...
>
> pbx4 ~ # cat > dns-in
> www.astlinux-project.org
>
> ==> The input is very flexible, here DNS is used to obtain the IPs... (using pthreads for parallel lookups 5x by default).
>
> pbx4 ~ # iprange dns-in > test.netset
> pbx4 ~ # cat test.netset
> 185.199.108.153
> 185.199.109.153
> 185.199.110.153
> 185.199.111.153
>
> ==> I manually created this file...
>
> pbx4 ~ # cat a.netset
> 0.0.0.0/1
> 128.0.0.0/1
>
> ==> just checking...
>
> pbx4 ~ # iprange a.netset
> 0.0.0.0/0
>
> ==> Like the original question, generate a blocklist which is test.netset subtracted from a.netset
> ==> In other words, the result will be a .netset blocking all except "www.astlinux-project.org"...
>
> pbx4 ~ # iprange -v a.netset --exclude-next test.netset > block-all-except.netset
> iprange: Loading from a.netset
> iprange: Loaded optimized a.netset
> iprange: Loading from test.netset
> iprange: Loaded optimized test.netset
> iprange: Removing IPs in test.netset from a.netset
> iprange: Printing a.netset with 5 ranges, 4294967292 unique IPs
>
> 54 printed CIDRs, break down by prefix:
> - prefix /1 counts 1 entries
> - prefix /2 counts 1 entries
> - prefix /3 counts 1 entries
> - prefix /4 counts 1 entries
> - prefix /5 counts 1 entries
> - prefix /6 counts 1 entries
> - prefix /7 counts 1 entries
> - prefix /8 counts 1 entries
> - prefix /9 counts 1 entries
> - prefix /10 counts 1 entries
> - prefix /11 counts 1 entries
> - prefix /12 counts 1 entries
> - prefix /13 counts 1 entries
> - prefix /14 counts 1 entries
> - prefix /15 counts 1 entries
> - prefix /16 counts 1 entries
> - prefix /17 counts 1 entries
> - prefix /18 counts 1 entries
> - prefix /19 counts 1 entries
> - prefix /20 counts 1 entries
> - prefix /21 counts 1 entries
> - prefix /22 counts 1 entries
> - prefix /25 counts 4 entries
> - prefix /26 counts 4 entries
> - prefix /27 counts 4 entries
> - prefix /28 counts 4 entries
> - prefix /29 counts 4 entries
> - prefix /30 counts 4 entries
> - prefix /31 counts 4 entries
> - prefix /32 counts 4 entries
>
> totals: 6 lines read, 5 distinct IP ranges found, 30 CIDR prefixes, 54 CIDRs printed, 4294967292 unique IPs
> completed in 0.00189 seconds (read 0.00075 + think 0.00004 + speak 0.00111)
>
> pbx4 ~ # cat block-all-except.netset
> 0.0.0.0/1
> 128.0.0.0/3
> 160.0.0.0/4
> 176.0.0.0/5
> 184.0.0.0/8
> 185.0.0.0/9
> 185.128.0.0/10
> 185.192.0.0/14
> 185.196.0.0/15
> 185.198.0.0/16
> 185.199.0.0/18
> 185.199.64.0/19
> 185.199.96.0/21
> 185.199.104.0/22
> 185.199.108.0/25
> 185.199.108.128/28
> 185.199.108.144/29
> 185.199.108.152
> 185.199.108.154/31
> 185.199.108.156/30
> 185.199.108.160/27
> 185.199.108.192/26
> 185.199.109.0/25
> 185.199.109.128/28
> 185.199.109.144/29
> 185.199.109.152
> 185.199.109.154/31
> 185.199.109.156/30
> 185.199.109.160/27
> 185.199.109.192/26
> 185.199.110.0/25
> 185.199.110.128/28
> 185.199.110.144/29
> 185.199.110.152
> 185.199.110.154/31
> 185.199.110.156/30
> 185.199.110.160/27
> 185.199.110.192/26
> 185.199.111.0/25
> 185.199.111.128/28
> 185.199.111.144/29
> 185.199.111.152
> 185.199.111.154/31
> 185.199.111.156/30
> 185.199.111.160/27
> 185.199.111.192/26
> 185.199.112.0/20
> 185.199.128.0/17
> 185.200.0.0/13
> 185.208.0.0/12
> 185.224.0.0/11
> 186.0.0.0/7
> 188.0.0.0/6
> 192.0.0.0/2
>
> ==> Try doing that by hand :-)
>
> ==> When iptables matches ipsets, each different prefix must be matched for every packet, so you can reduce the number of prefixes at the expense of more entries per prefix.
>
> pbx4 ~ # iprange -v --ipset-reduce 20 block-all-except.netset >block-all-except20.netset
> iprange: Loading from block-all-except.netset
> iprange: Loaded optimized block-all-except.netset
>
> Counting prefixes in combined ipset
> ...
>
> Eliminated 26 out of 30 prefixes (4 remain in the final set).
>
> iprange: Printing combined ipset with 5 ranges, 4294967292 unique IPs
>
> 1593 printed CIDRs, break down by prefix:
> - prefix /8 counts 255 entries
> - prefix /16 counts 255 entries
> - prefix /22 counts 63 entries
> - prefix /32 counts 1020 entries
>
> totals: 54 lines read, 5 distinct IP ranges found, 4 CIDR prefixes, 1593 CIDRs printed, 4294967292 unique IPs
> completed in 0.01835 seconds (read 0.00068 + think 0.01419 + speak 0.00347)
>
>
> ==> Note the "4294967292 unique IPs" remains the same in both cases.
>
> ==> For AxtLinux the "--ipset-reduce 20" step may not be worth it, but is optional.
>
>
> iprange is quite cool, a lot of cool mathematics in it. Though currently IPv4-only.
>
>
> Lonnie
>
>
>>
>> On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lo...> wrote:
>>
>> Michael,
>>
>> As your original question asked, you wanted to block all countries except one or two.
>>
>> I suppose you could be clever and block all by default in /mnt/kd/blocklists/blocked-hosts.netset
>> --
>> 0.0.0.0/1
>> 128.0.0.0/1
>> --
>> and then use the whitelist to add your allowed countries .netset's
>>
>> BTW, I have not tried this !
>>
>> But a more elegant method would be to generate a custom block-all-except-xx-yy.netset on an external host for your custom use.
>>
>> The FireHol project uses a handy script "iprange" (should be on Debian)
>> https://github.com/firehol/iprange/wiki
>>
>> The "exclude" mode does a compliment of the added file, so in theory (not tested) you could start with this file:
>> --
>> 0.0.0.0/1
>> 128.0.0.0/1
>> --
>> and then "exclude" what countries you want to allow to generate a block-all-except-xx-yy.netset file.
>>
>> The iprange command has a bunch of other unique and useful features. Though I'm not sure if it applies to AstLinux enough to be included ?
>>
>> Lonnie
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2019-08-21 01:39:41
|
Just to help document iprange ... Below was an example where a.netset is manually created: pbx4 ~ # iprange -v a.netset --exclude-next test.netset > block-all-except.netset This is an alternate way to use stdin and a - (minus) as an placeholder pbx4 ~ # echo "0.0.0.0/0" | iprange -v - --exclude-next test.netset > block-all-except.netset -- iprange: Loading from stdin iprange: Loaded optimized stdin iprange: Loading from test.netset iprange: Loaded optimized test.netset iprange: Removing IPs in test.netset from stdin iprange: Printing stdin with 5 ranges, 4294967292 unique IPs -- and you can have multiple "--exclude-next fileN.netset" to subtract additional netsets. A very powerful tool. So, when the final result is used as a block-all-except.netset blocklist, the subtracted IP's will be not blocked, all the rest will be blocked. Lonnie > On Aug 20, 2019, at 3:57 PM, Lonnie Abelbeck <li...@lo...> wrote: > > On Aug 20, 2019, at 2:57 PM, Michael Knill <mic...@ip...> wrote: >> >> Thanks Lonnie. I'm learning __ >> >> I noticed in the doco that you can 'match incoming and/or outgoing' traffic but I couldn't see where you actually specify this e.g. I just want incoming for instance >> Just wondering if I am missing something? > > I don't think we have a web interface toggle for that, in your user.conf you can set: > -- > BLOCK_HOSTS_BIDIRECTIONAL=0 > -- > and the AIF block hosts (Block All Traffic by Host/CIDR:) will only block on incoming. (be sure to test) > > But be careful, you then eliminate all outbound (Block All Traffic by Host/CIDR:) AIF block hosts filtering. If you can block one ransomware URL in an email, that is a feature best not turned off. > > And before you ask, no, there is no separate set of .netset files for outgoing and incoming :-) > > > BTW, I have been playing with the "iprange" command, it is only 40 KB ... I'm thinking it is AstLinux worthy. I know Michael Keuter has suggested looking into it some time ago. So I now have... > > pbx4 ~ # cat > dns-in > www.astlinux-project.org > > ==> The input is very flexible, here DNS is used to obtain the IPs... (using pthreads for parallel lookups 5x by default). > > pbx4 ~ # iprange dns-in > test.netset > pbx4 ~ # cat test.netset > 185.199.108.153 > 185.199.109.153 > 185.199.110.153 > 185.199.111.153 > > ==> I manually created this file... > > pbx4 ~ # cat a.netset > 0.0.0.0/1 > 128.0.0.0/1 > > ==> just checking... > > pbx4 ~ # iprange a.netset > 0.0.0.0/0 > > ==> Like the original question, generate a blocklist which is test.netset subtracted from a.netset > ==> In other words, the result will be a .netset blocking all except "www.astlinux-project.org"... > > pbx4 ~ # iprange -v a.netset --exclude-next test.netset > block-all-except.netset > iprange: Loading from a.netset > iprange: Loaded optimized a.netset > iprange: Loading from test.netset > iprange: Loaded optimized test.netset > iprange: Removing IPs in test.netset from a.netset > iprange: Printing a.netset with 5 ranges, 4294967292 unique IPs > > 54 printed CIDRs, break down by prefix: > - prefix /1 counts 1 entries > - prefix /2 counts 1 entries > - prefix /3 counts 1 entries > - prefix /4 counts 1 entries > - prefix /5 counts 1 entries > - prefix /6 counts 1 entries > - prefix /7 counts 1 entries > - prefix /8 counts 1 entries > - prefix /9 counts 1 entries > - prefix /10 counts 1 entries > - prefix /11 counts 1 entries > - prefix /12 counts 1 entries > - prefix /13 counts 1 entries > - prefix /14 counts 1 entries > - prefix /15 counts 1 entries > - prefix /16 counts 1 entries > - prefix /17 counts 1 entries > - prefix /18 counts 1 entries > - prefix /19 counts 1 entries > - prefix /20 counts 1 entries > - prefix /21 counts 1 entries > - prefix /22 counts 1 entries > - prefix /25 counts 4 entries > - prefix /26 counts 4 entries > - prefix /27 counts 4 entries > - prefix /28 counts 4 entries > - prefix /29 counts 4 entries > - prefix /30 counts 4 entries > - prefix /31 counts 4 entries > - prefix /32 counts 4 entries > > totals: 6 lines read, 5 distinct IP ranges found, 30 CIDR prefixes, 54 CIDRs printed, 4294967292 unique IPs > completed in 0.00189 seconds (read 0.00075 + think 0.00004 + speak 0.00111) > > pbx4 ~ # cat block-all-except.netset > 0.0.0.0/1 > 128.0.0.0/3 > 160.0.0.0/4 > 176.0.0.0/5 > 184.0.0.0/8 > 185.0.0.0/9 > 185.128.0.0/10 > 185.192.0.0/14 > 185.196.0.0/15 > 185.198.0.0/16 > 185.199.0.0/18 > 185.199.64.0/19 > 185.199.96.0/21 > 185.199.104.0/22 > 185.199.108.0/25 > 185.199.108.128/28 > 185.199.108.144/29 > 185.199.108.152 > 185.199.108.154/31 > 185.199.108.156/30 > 185.199.108.160/27 > 185.199.108.192/26 > 185.199.109.0/25 > 185.199.109.128/28 > 185.199.109.144/29 > 185.199.109.152 > 185.199.109.154/31 > 185.199.109.156/30 > 185.199.109.160/27 > 185.199.109.192/26 > 185.199.110.0/25 > 185.199.110.128/28 > 185.199.110.144/29 > 185.199.110.152 > 185.199.110.154/31 > 185.199.110.156/30 > 185.199.110.160/27 > 185.199.110.192/26 > 185.199.111.0/25 > 185.199.111.128/28 > 185.199.111.144/29 > 185.199.111.152 > 185.199.111.154/31 > 185.199.111.156/30 > 185.199.111.160/27 > 185.199.111.192/26 > 185.199.112.0/20 > 185.199.128.0/17 > 185.200.0.0/13 > 185.208.0.0/12 > 185.224.0.0/11 > 186.0.0.0/7 > 188.0.0.0/6 > 192.0.0.0/2 > > ==> Try doing that by hand :-) > > ==> When iptables matches ipsets, each different prefix must be matched for every packet, so you can reduce the number of prefixes at the expense of more entries per prefix. > > pbx4 ~ # iprange -v --ipset-reduce 20 block-all-except.netset >block-all-except20.netset > iprange: Loading from block-all-except.netset > iprange: Loaded optimized block-all-except.netset > > Counting prefixes in combined ipset > ... > > Eliminated 26 out of 30 prefixes (4 remain in the final set). > > iprange: Printing combined ipset with 5 ranges, 4294967292 unique IPs > > 1593 printed CIDRs, break down by prefix: > - prefix /8 counts 255 entries > - prefix /16 counts 255 entries > - prefix /22 counts 63 entries > - prefix /32 counts 1020 entries > > totals: 54 lines read, 5 distinct IP ranges found, 4 CIDR prefixes, 1593 CIDRs printed, 4294967292 unique IPs > completed in 0.01835 seconds (read 0.00068 + think 0.01419 + speak 0.00347) > > > ==> Note the "4294967292 unique IPs" remains the same in both cases. > > ==> For AxtLinux the "--ipset-reduce 20" step may not be worth it, but is optional. > > > iprange is quite cool, a lot of cool mathematics in it. Though currently IPv4-only. > > > Lonnie > > >> >> On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lo...> wrote: >> >> Michael, >> >> As your original question asked, you wanted to block all countries except one or two. >> >> I suppose you could be clever and block all by default in /mnt/kd/blocklists/blocked-hosts.netset >> -- >> 0.0.0.0/1 >> 128.0.0.0/1 >> -- >> and then use the whitelist to add your allowed countries .netset's >> >> BTW, I have not tried this ! >> >> But a more elegant method would be to generate a custom block-all-except-xx-yy.netset on an external host for your custom use. >> >> The FireHol project uses a handy script "iprange" (should be on Debian) >> https://github.com/firehol/iprange/wiki >> >> The "exclude" mode does a compliment of the added file, so in theory (not tested) you could start with this file: >> -- >> 0.0.0.0/1 >> 128.0.0.0/1 >> -- >> and then "exclude" what countries you want to allow to generate a block-all-except-xx-yy.netset file. >> >> The iprange command has a bunch of other unique and useful features. Though I'm not sure if it applies to AstLinux enough to be included ? >> >> Lonnie > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-08-20 21:56:06
|
Ah sorry I missed that.
Regarding geoblocking, its not something I would want to manually do each time and I would build a script initially and maybe a new tab eventually.
The individual country netset files would either be blacklisted or whitelisted and they could be consolidated with iprange.
My initial thoughts anyway. No time to do it currently. I may just add the included netset files for now incoming.
Regards
Michael Knill
On 21/8/19, 6:57 am, "Lonnie Abelbeck" <li...@lo...> wrote:
On Aug 20, 2019, at 2:57 PM, Michael Knill <mic...@ip...> wrote:
>
> Thanks Lonnie. I'm learning __
>
> I noticed in the doco that you can 'match incoming and/or outgoing' traffic but I couldn't see where you actually specify this e.g. I just want incoming for instance
> Just wondering if I am missing something?
I don't think we have a web interface toggle for that, in your user.conf you can set:
--
BLOCK_HOSTS_BIDIRECTIONAL=0
--
and the AIF block hosts (Block All Traffic by Host/CIDR:) will only block on incoming. (be sure to test)
But be careful, you then eliminate all outbound (Block All Traffic by Host/CIDR:) AIF block hosts filtering. If you can block one ransomware URL in an email, that is a feature best not turned off.
And before you ask, no, there is no separate set of .netset files for outgoing and incoming :-)
BTW, I have been playing with the "iprange" command, it is only 40 KB ... I'm thinking it is AstLinux worthy. I know Michael Keuter has suggested looking into it some time ago. So I now have...
pbx4 ~ # cat > dns-in
www.astlinux-project.org
==> The input is very flexible, here DNS is used to obtain the IPs... (using pthreads for parallel lookups 5x by default).
pbx4 ~ # iprange dns-in > test.netset
pbx4 ~ # cat test.netset
185.199.108.153
185.199.109.153
185.199.110.153
185.199.111.153
==> I manually created this file...
pbx4 ~ # cat a.netset
0.0.0.0/1
128.0.0.0/1
==> just checking...
pbx4 ~ # iprange a.netset
0.0.0.0/0
==> Like the original question, generate a blocklist which is test.netset subtracted from a.netset
==> In other words, the result will be a .netset blocking all except "www.astlinux-project.org"...
pbx4 ~ # iprange -v a.netset --exclude-next test.netset > block-all-except.netset
iprange: Loading from a.netset
iprange: Loaded optimized a.netset
iprange: Loading from test.netset
iprange: Loaded optimized test.netset
iprange: Removing IPs in test.netset from a.netset
iprange: Printing a.netset with 5 ranges, 4294967292 unique IPs
54 printed CIDRs, break down by prefix:
- prefix /1 counts 1 entries
- prefix /2 counts 1 entries
- prefix /3 counts 1 entries
- prefix /4 counts 1 entries
- prefix /5 counts 1 entries
- prefix /6 counts 1 entries
- prefix /7 counts 1 entries
- prefix /8 counts 1 entries
- prefix /9 counts 1 entries
- prefix /10 counts 1 entries
- prefix /11 counts 1 entries
- prefix /12 counts 1 entries
- prefix /13 counts 1 entries
- prefix /14 counts 1 entries
- prefix /15 counts 1 entries
- prefix /16 counts 1 entries
- prefix /17 counts 1 entries
- prefix /18 counts 1 entries
- prefix /19 counts 1 entries
- prefix /20 counts 1 entries
- prefix /21 counts 1 entries
- prefix /22 counts 1 entries
- prefix /25 counts 4 entries
- prefix /26 counts 4 entries
- prefix /27 counts 4 entries
- prefix /28 counts 4 entries
- prefix /29 counts 4 entries
- prefix /30 counts 4 entries
- prefix /31 counts 4 entries
- prefix /32 counts 4 entries
totals: 6 lines read, 5 distinct IP ranges found, 30 CIDR prefixes, 54 CIDRs printed, 4294967292 unique IPs
completed in 0.00189 seconds (read 0.00075 + think 0.00004 + speak 0.00111)
pbx4 ~ # cat block-all-except.netset
0.0.0.0/1
128.0.0.0/3
160.0.0.0/4
176.0.0.0/5
184.0.0.0/8
185.0.0.0/9
185.128.0.0/10
185.192.0.0/14
185.196.0.0/15
185.198.0.0/16
185.199.0.0/18
185.199.64.0/19
185.199.96.0/21
185.199.104.0/22
185.199.108.0/25
185.199.108.128/28
185.199.108.144/29
185.199.108.152
185.199.108.154/31
185.199.108.156/30
185.199.108.160/27
185.199.108.192/26
185.199.109.0/25
185.199.109.128/28
185.199.109.144/29
185.199.109.152
185.199.109.154/31
185.199.109.156/30
185.199.109.160/27
185.199.109.192/26
185.199.110.0/25
185.199.110.128/28
185.199.110.144/29
185.199.110.152
185.199.110.154/31
185.199.110.156/30
185.199.110.160/27
185.199.110.192/26
185.199.111.0/25
185.199.111.128/28
185.199.111.144/29
185.199.111.152
185.199.111.154/31
185.199.111.156/30
185.199.111.160/27
185.199.111.192/26
185.199.112.0/20
185.199.128.0/17
185.200.0.0/13
185.208.0.0/12
185.224.0.0/11
186.0.0.0/7
188.0.0.0/6
192.0.0.0/2
==> Try doing that by hand :-)
==> When iptables matches ipsets, each different prefix must be matched for every packet, so you can reduce the number of prefixes at the expense of more entries per prefix.
pbx4 ~ # iprange -v --ipset-reduce 20 block-all-except.netset >block-all-except20.netset
iprange: Loading from block-all-except.netset
iprange: Loaded optimized block-all-except.netset
Counting prefixes in combined ipset
...
Eliminated 26 out of 30 prefixes (4 remain in the final set).
iprange: Printing combined ipset with 5 ranges, 4294967292 unique IPs
1593 printed CIDRs, break down by prefix:
- prefix /8 counts 255 entries
- prefix /16 counts 255 entries
- prefix /22 counts 63 entries
- prefix /32 counts 1020 entries
totals: 54 lines read, 5 distinct IP ranges found, 4 CIDR prefixes, 1593 CIDRs printed, 4294967292 unique IPs
completed in 0.01835 seconds (read 0.00068 + think 0.01419 + speak 0.00347)
==> Note the "4294967292 unique IPs" remains the same in both cases.
==> For AxtLinux the "--ipset-reduce 20" step may not be worth it, but is optional.
iprange is quite cool, a lot of cool mathematics in it. Though currently IPv4-only.
Lonnie
>
> On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lo...> wrote:
>
> Michael,
>
> As your original question asked, you wanted to block all countries except one or two.
>
> I suppose you could be clever and block all by default in /mnt/kd/blocklists/blocked-hosts.netset
> --
> 0.0.0.0/1
> 128.0.0.0/1
> --
> and then use the whitelist to add your allowed countries .netset's
>
> BTW, I have not tried this !
>
> But a more elegant method would be to generate a custom block-all-except-xx-yy.netset on an external host for your custom use.
>
> The FireHol project uses a handy script "iprange" (should be on Debian)
> https://github.com/firehol/iprange/wiki
>
> The "exclude" mode does a compliment of the added file, so in theory (not tested) you could start with this file:
> --
> 0.0.0.0/1
> 128.0.0.0/1
> --
> and then "exclude" what countries you want to allow to generate a block-all-except-xx-yy.netset file.
>
> The iprange command has a bunch of other unique and useful features. Though I'm not sure if it applies to AstLinux enough to be included ?
>
> Lonnie
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2019-08-20 20:57:27
|
On Aug 20, 2019, at 2:57 PM, Michael Knill <mic...@ip...> wrote: > > Thanks Lonnie. I'm learning __ > > I noticed in the doco that you can 'match incoming and/or outgoing' traffic but I couldn't see where you actually specify this e.g. I just want incoming for instance > Just wondering if I am missing something? I don't think we have a web interface toggle for that, in your user.conf you can set: -- BLOCK_HOSTS_BIDIRECTIONAL=0 -- and the AIF block hosts (Block All Traffic by Host/CIDR:) will only block on incoming. (be sure to test) But be careful, you then eliminate all outbound (Block All Traffic by Host/CIDR:) AIF block hosts filtering. If you can block one ransomware URL in an email, that is a feature best not turned off. And before you ask, no, there is no separate set of .netset files for outgoing and incoming :-) BTW, I have been playing with the "iprange" command, it is only 40 KB ... I'm thinking it is AstLinux worthy. I know Michael Keuter has suggested looking into it some time ago. So I now have... pbx4 ~ # cat > dns-in www.astlinux-project.org ==> The input is very flexible, here DNS is used to obtain the IPs... (using pthreads for parallel lookups 5x by default). pbx4 ~ # iprange dns-in > test.netset pbx4 ~ # cat test.netset 185.199.108.153 185.199.109.153 185.199.110.153 185.199.111.153 ==> I manually created this file... pbx4 ~ # cat a.netset 0.0.0.0/1 128.0.0.0/1 ==> just checking... pbx4 ~ # iprange a.netset 0.0.0.0/0 ==> Like the original question, generate a blocklist which is test.netset subtracted from a.netset ==> In other words, the result will be a .netset blocking all except "www.astlinux-project.org"... pbx4 ~ # iprange -v a.netset --exclude-next test.netset > block-all-except.netset iprange: Loading from a.netset iprange: Loaded optimized a.netset iprange: Loading from test.netset iprange: Loaded optimized test.netset iprange: Removing IPs in test.netset from a.netset iprange: Printing a.netset with 5 ranges, 4294967292 unique IPs 54 printed CIDRs, break down by prefix: - prefix /1 counts 1 entries - prefix /2 counts 1 entries - prefix /3 counts 1 entries - prefix /4 counts 1 entries - prefix /5 counts 1 entries - prefix /6 counts 1 entries - prefix /7 counts 1 entries - prefix /8 counts 1 entries - prefix /9 counts 1 entries - prefix /10 counts 1 entries - prefix /11 counts 1 entries - prefix /12 counts 1 entries - prefix /13 counts 1 entries - prefix /14 counts 1 entries - prefix /15 counts 1 entries - prefix /16 counts 1 entries - prefix /17 counts 1 entries - prefix /18 counts 1 entries - prefix /19 counts 1 entries - prefix /20 counts 1 entries - prefix /21 counts 1 entries - prefix /22 counts 1 entries - prefix /25 counts 4 entries - prefix /26 counts 4 entries - prefix /27 counts 4 entries - prefix /28 counts 4 entries - prefix /29 counts 4 entries - prefix /30 counts 4 entries - prefix /31 counts 4 entries - prefix /32 counts 4 entries totals: 6 lines read, 5 distinct IP ranges found, 30 CIDR prefixes, 54 CIDRs printed, 4294967292 unique IPs completed in 0.00189 seconds (read 0.00075 + think 0.00004 + speak 0.00111) pbx4 ~ # cat block-all-except.netset 0.0.0.0/1 128.0.0.0/3 160.0.0.0/4 176.0.0.0/5 184.0.0.0/8 185.0.0.0/9 185.128.0.0/10 185.192.0.0/14 185.196.0.0/15 185.198.0.0/16 185.199.0.0/18 185.199.64.0/19 185.199.96.0/21 185.199.104.0/22 185.199.108.0/25 185.199.108.128/28 185.199.108.144/29 185.199.108.152 185.199.108.154/31 185.199.108.156/30 185.199.108.160/27 185.199.108.192/26 185.199.109.0/25 185.199.109.128/28 185.199.109.144/29 185.199.109.152 185.199.109.154/31 185.199.109.156/30 185.199.109.160/27 185.199.109.192/26 185.199.110.0/25 185.199.110.128/28 185.199.110.144/29 185.199.110.152 185.199.110.154/31 185.199.110.156/30 185.199.110.160/27 185.199.110.192/26 185.199.111.0/25 185.199.111.128/28 185.199.111.144/29 185.199.111.152 185.199.111.154/31 185.199.111.156/30 185.199.111.160/27 185.199.111.192/26 185.199.112.0/20 185.199.128.0/17 185.200.0.0/13 185.208.0.0/12 185.224.0.0/11 186.0.0.0/7 188.0.0.0/6 192.0.0.0/2 ==> Try doing that by hand :-) ==> When iptables matches ipsets, each different prefix must be matched for every packet, so you can reduce the number of prefixes at the expense of more entries per prefix. pbx4 ~ # iprange -v --ipset-reduce 20 block-all-except.netset >block-all-except20.netset iprange: Loading from block-all-except.netset iprange: Loaded optimized block-all-except.netset Counting prefixes in combined ipset ... Eliminated 26 out of 30 prefixes (4 remain in the final set). iprange: Printing combined ipset with 5 ranges, 4294967292 unique IPs 1593 printed CIDRs, break down by prefix: - prefix /8 counts 255 entries - prefix /16 counts 255 entries - prefix /22 counts 63 entries - prefix /32 counts 1020 entries totals: 54 lines read, 5 distinct IP ranges found, 4 CIDR prefixes, 1593 CIDRs printed, 4294967292 unique IPs completed in 0.01835 seconds (read 0.00068 + think 0.01419 + speak 0.00347) ==> Note the "4294967292 unique IPs" remains the same in both cases. ==> For AxtLinux the "--ipset-reduce 20" step may not be worth it, but is optional. iprange is quite cool, a lot of cool mathematics in it. Though currently IPv4-only. Lonnie > > On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lo...> wrote: > > Michael, > > As your original question asked, you wanted to block all countries except one or two. > > I suppose you could be clever and block all by default in /mnt/kd/blocklists/blocked-hosts.netset > -- > 0.0.0.0/1 > 128.0.0.0/1 > -- > and then use the whitelist to add your allowed countries .netset's > > BTW, I have not tried this ! > > But a more elegant method would be to generate a custom block-all-except-xx-yy.netset on an external host for your custom use. > > The FireHol project uses a handy script "iprange" (should be on Debian) > https://github.com/firehol/iprange/wiki > > The "exclude" mode does a compliment of the added file, so in theory (not tested) you could start with this file: > -- > 0.0.0.0/1 > 128.0.0.0/1 > -- > and then "exclude" what countries you want to allow to generate a block-all-except-xx-yy.netset file. > > The iprange command has a bunch of other unique and useful features. Though I'm not sure if it applies to AstLinux enough to be included ? > > Lonnie |
|
From: Michael K. <mic...@ip...> - 2019-08-20 19:58:01
|
Thanks Lonnie. I'm learning __
I noticed in the doco that you can 'match incoming and/or outgoing' traffic but I couldn't see where you actually specify this e.g. I just want incoming for instance
Just wondering if I am missing something?
Regards
Michael Knill
On 21/8/19, 2:10 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Michael,
As your original question asked, you wanted to block all countries except one or two.
I suppose you could be clever and block all by default in /mnt/kd/blocklists/blocked-hosts.netset
--
0.0.0.0/1
128.0.0.0/1
--
and then use the whitelist to add your allowed countries .netset's
BTW, I have not tried this !
But a more elegant method would be to generate a custom block-all-except-xx-yy.netset on an external host for your custom use.
The FireHol project uses a handy script "iprange" (should be on Debian)
https://github.com/firehol/iprange/wiki
The "exclude" mode does a compliment of the added file, so in theory (not tested) you could start with this file:
--
0.0.0.0/1
128.0.0.0/1
--
and then "exclude" what countries you want to allow to generate a block-all-except-xx-yy.netset file.
The iprange command has a bunch of other unique and useful features. Though I'm not sure if it applies to AstLinux enough to be included ?
Lonnie
> On Aug 19, 2019, at 7:05 PM, Michael Knill <mic...@ip...> wrote:
>
> Thanks Lonnie for the info.
>
> Regards
> Michael Knill
>
> On 20/8/19, 12:30 am, "Lonnie Abelbeck" <li...@lo...> wrote:
>
>
>
>> On Aug 19, 2019, at 1:17 AM, Michael Knill <mic...@ip...> wrote:
>>
>> Hi all
>>
>> Is there an easy way to set up Geoblocking on the firewall?
>> I would want to open up a couple of countries and block everything else.
>>
>> Regards
>> Michael Knill
>
> I would start here:
>
> Firewall External Block List
> https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list
>
> I would argue it is better to block attackers/threats rather than countries. Take a look at the "Country Map" for firehol_level1:
>
> http://iplists.firehol.org/?ipset=firehol_level1
>
> I personally use this cron entry to update threat blocklists two times a day:
> --
> ## Reload firewall blocklists
> 45 05,15 * * * reload-blocklist-netset /mnt/kd/blocklists firehol_level1 firehol_webclient spamhaus_dropv6 >/dev/null 2>&1
> --
> (please change the time cron slightly if you copy-paste)
>
> I also manually create a /mnt/kd/blocklists/whitelist.netset file to make sure critical upstream HOST/CIDR's never get blocked ... DNS, NTP, SIP providers, etc. .
>
> BTW, I do get occasional false positives for HTTP/HTTPS outbound with the firehol_webclient blocklist since one bad actor on a shared server results in blocking the shared server's IP for a period of time.
>
> BTW, for years the "voipbl" blocklist worked well, but lately there has been too many false-positives to recommend.
>
> Back to your original question, blocking countries ... create your own /mnt/kd/blocklists/block-country-xx.netset files, DDG'ing I found a couple sites offering free, *.netset compatible file formats:
>
> http://www.ipdeny.com/ipblocks/
>
> https://www.countryipblocks.net/acl.php
> (Select Format: CIDR)
>
> I'm sure there are other Geo-blocklists sources as well.
>
> Note the Geo-blocklists do not need to be updated nearly as often as the threat blocklists do, I'm not sure but ever month (or longer) is probably enough, depending on how accurate you want it.
>
> Lonnie
>
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
63 messages has been excluded from this view by a project administrator.
