Add additional sources to IPFire blocklist feature

The new Firewall blocklist in Core Update 170 looks promising. :ok_hand:

Is there a way to include more Blocklists? From a reputable source like Github, Gitlab etc… and are well maintained?

1 Like

Just went from zero to 16… Is it not enough?!?

:upside_down_face:

3 Likes

HAHAHA, no I am not complaining, just I like to use blocklists to block services like DoH …

1 Like

Is there something specific that you had in mind? (something reputable and well maintained?) I am just curious…

1 Like

The file containing the list of blocklists is /var/ipfire/ipblocklist/sources. The explanation of the fields in the file is in the file header, so it’s easy enough to add new entries if you want, however the file will be overwritten by any future updates.

If you find any lists which would be useful to other people you could submit a patch to update this file, but before doing this it’s important to check that you’ve got the maximum frequency of checking for updates right, as many lists will block anyone trying to update too often. If you’re going to submit a patch it’s also important to check that the licence for the lists allows the list to be included in the ipfire distribution.

Possibly in a future update we can allow the possibility of a sources.local file, but I think the feature needs to be left as it is for a while before adding new functionality.

.

5 Likes

Welcome back @Timf :slight_smile:
Many thanks for your detailed explanation, I will follow it and post some lists below for discussion before submitting it.

Interesting that Abuse.ch went or is going commercial very soon. so it makes sense to have option.
@jon There used to be plenty of open and well maintained lists, but they either went commercial or abandoned. But here are some I recently found and used in addition to the ones already in the addon:

1- This list contains Common DoH servers and I think it is useful in cases when clients are circumventing IPFire’s DNS server.
It doesn’t mention a Licence. In terms of update checks I think Github is pretty forgiving for update checks if done in a “random” pattern or intervals.

https://raw.githubusercontent.com/jpgpi250/piholemanual/master/DOHipv4.txt

2- 3CoreSec Blacklist - they share threats from their honeypot projects
https://blacklist.3coresec.net/lists/all.txt

3coresec lists are under GNU Affero General Public License
https://www.gnu.org/licenses/agpl-3.0.en.html
3coresec doesn’t mention update check terms.

The "ALL list "above is combined from these specific lists

3- Hosts involved in SSH brute-force
https://blacklist.3coresec.net/lists/ssh.txt

4-Hosts involved in mass scanning and/or exploitation attempts
https://blacklist.3coresec.net/lists/misc.txt

5-Hosts involved in HTTP brute-force and/or enumeration
https://blacklist.3coresec.net/lists/http.txt

3 Likes