Can I help progress version2 of ipblacklist addon

Both of my test IPFire boxes are still at 32 bit and I have been struggling to compile a 32bit binary for the 2 helper programs required for this addon. (I’ve discovered my IPFire 32bit source code has been corrupted and now no longer available)
Can you help in compiling these 2 ipblacklist c programs?

getipsetstat.c

t/* IPFire helper program - GetIPSetStat
 *
 * Get the list from IPSET LIST
 *
 */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <fcntl.h>
#include "setuid.h"


int main(void)
{
        if (!(initsetuid()))
                exit(1);

        safe_system("/usr/sbin/ipset list -t -f /var/tmp/ipsets.txt");
        safe_system("chown nobody:nobody /var/tmp/ipsets.txt");

        return 0;
}

ipblacklistctrl.c

t/* This file is part of the IPFire Firewall.
 *
 * This program is distributed under the terms of the GNU General Public
 * Licence.  See the file COPYING for details.
 *
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <fcntl.h>
#include "setuid.h"

int main(int argc, char *argv[]) {

    if (!(initsetuid()))
        exit(1);

    if (argc < 2) {
        fprintf(stderr, "\nNo argument given.\n"
                "ipblacklistctrl (update|restore|log-on|log-off|"
                "enable|disable)\n\n");
        exit(1);
    }

    if (strcmp(argv[1], "update") == 0) {
        safe_system("/usr/local/bin/ipblacklist update >/dev/null 2>&1 &");
    } else if (strcmp(argv[1], "restore") == 0) {
        safe_system("/usr/local/bin/ipblacklist restore >/dev/null 2>&1 &");
    } else if (strcmp(argv[1], "log-on") == 0) {
        safe_system("/usr/local/bin/ipblacklist log-on >/dev/null 2>&1 &");
    } else if (strcmp(argv[1], "log-off") == 0) {
        safe_system("/usr/local/bin/ipblacklist log-off >/dev/null 2>&1 &");
    } else if (strcmp(argv[1], "enable") == 0) {
        safe_system("/usr/local/bin/ipblacklist enable >/dev/null 2>&1 &");
    } else if (strcmp(argv[1], "disable") == 0) {
        safe_system("/usr/local/bin/ipblacklist disable >/dev/null 2>&1 &");
    } else {
        fprintf(stderr, "\nBad argument given.\n"
                "ipblacklistctrl (update|restore|log-on|log-off|"
                "enable|disable)\n\n");
        exit(1);
    }

    return 0;
}

Rob

Hi Rob,

I think you are going to have problems then. 32 bit IPFire has been announced as deprecated for a year or more and end of 2021 was its EOL.
The last Core Update where it was still available was 162. Your IPFire systems will still work but you will not be able to do any updates as Core Update 163 onwards will not have 32 bit i586 code available.

Any git clone will no longer have 32 bit capability except for armv6l.

All my builds are done with an x86_64 system.

Hi Adolf,
Unfortunately one of the my development boxes runs an alix board which won’t run 64 bit code and the other has some modifications that would take some time to re-apply if I changed to 64 bit. My main firewall is 64 bit however.

I think I have all the other parts of ipblacklist available to install it’s just these 2 binaries I need to complete.

I am trying to recover my corrupted source code and get the following error when I run
sudo ./make.sh build
mkdir -pv /usr/share/doc/licenses/
cp -vf /usr/src/doc/COPYING /usr/share/doc/licenses/GPLv3
cp: cannot stat ‘/usr/src/doc/COPYING’: No such file or directory
make: *** [stage2:116: /usr/src/log/stage2] Error 1

Any thoughts on where I am going wrong.

Thanks for your help

Rob

This is indicating that you are missing a file in your source tree.

In your ipfire2.x/doc/ directory there should be a file called COPYING which is the GPL license.

I suspect that you are missing that file resulting in the cannot stat message when IPFire tries to copy that file to the /usr/share/doc/licenses/GPLv3

You should be able to download it from the IPFire git repository.

I had restored from backups to recover the corruption and it looks like I had missed that one. Odd the language files in that directory were intact. I restored the missing files from an earlier backup.

build is running OK now, many thanks for the pointer.

Rob

1 Like

I managed to set up a i586 build for v2.25 core 158 and compiled the 2 C programs and installed then on my alix test system and copied the remaining files over.
Results look ok but this box is behind my production firewall so doesn’t see any firewall hits. Looking OK but I can’t get fcron to update (maybe a permission problem) and looking into it.
I now need to decide on making this available as a stand alone add-on or patch it back into IPFire for which I would need a hand hold !
A couple of screen shots:


3 Likes

Congratulations on the progress you have made.

I would be willing to provide whatever helping hand that would be needed for creating the patch and how to submit it. Also the other people on the dev mailing list are very helpful too if there are any questions.

However to be able to submit it as a patch you are going to have to be able to build it with either an x86_64 or armv6l or aarch64 architecture.

i586 is no longer in IPFire so I believe that any patch submission can not use that architecture. To confirm you could always ask that question on the dev mailing list.

2 Likes

Thank you for the offer of help. I have been subscribed to the dev mailing list for some time so I am aware of the helpfulness there.
As this add-on was originally intended to be incorporated into the main IPFire I am a bit concerned about who will maintain the program as I am not as knowledgable as @timf so I think it would require additional support for the code from others.

There isn’t any architecture specific code in ipblacklist. The 2 binary programs are compiled at build time and the remaining code is perl and some bash so should be independent of architecture.
I do intend to run it on my main x86_64 system when I have finished testing, so should confirm it runs OK.

I think I have sorted out the fcron problem and the blocklists now seem to be updating correctly.
More testing to-morrow.

Best
Rob

3 Likes

Hi Rob,

Sorry for the delay in any reply.

This is likely to be the problem aspect. If you are not able to support the ongoing maintenance of this tool then you are going to need to find someone who is capable of doing that and willing to take it up.

With no maintainer for it the I suspect that the IPFire devs would not be willing to accept it as the result would be that when problems occurred they would then be expected to figure out what the code is doing and fix it.

You could always raise the question on the dev list to see what their response would be.

I have now had a good look at @timf 's code and is well written and has comprehensive comments so that it is easy to understand. It shouldn’t be difficult to maintain.

I’ll pop along there shortly.

I now have this code working on my main firewall (IPFire 2.27 (x86_64) - Core Update 161) and I must say I’m quite impressed with the new features. The “IP Address Blacklist Logs” page is a very useful addition to see which blacklist is contributing to the most effective blocking and I have added an additional Local Blacklist which is generated by parsing my mail server logs for abusive ip addresses and adding the list to my web server.

I found a few problems:
There is a conflict between ipblacklist and ipfblocklist if it is installed. The ipsets generated by ipfblocklist are not removed when the addon is disabled via the WUI and therefore this addon should be uninstalled before ipblacklist is loaded

There are few missing files on Patchwork:
There is only the english lang file available.
There isn’t a init script included. I used a modified ipfblocklist one.
The logwatch file ipblacklist.conf isn’t included and needs to be written.
ipblacklists.dat needs a couple of patches:

  1. remove - require “${General::swroot}/geoip-functions.pl”; - This isn’t included in core 161 and not used in this program.

  2. change
    &General::readhash( “/srv/web/ipfire/html/themes/”.$mainsettings{‘THEME’}.“/include/colors.txt”, %color );
    to
    &General::readhash( “/srv/web/ipfire/html/themes/ipfire/include/colors.txt”, %color );

Finally the maxelem value I had problems with at the start of this topic is now solved as it is set at a value to accommodate the size of each blacklist .

Rob

2 Likes

Hi @helix
Thanks for looking into this. I’ve been using V1 for years.
It is a far more preferable way to drop bad ip addrs as opposed to loading up Suricata processing with tons of rules for bad ip addrs.
I hope you can manage to get this incorporated into IPFire – either as part of core or as an addon

Thanks again,
@cbrown

3 Likes

Thank you for your support. I am hopeful it can be incorporated into IPFire, but I could turn it into an addon if the devs don’t support incorporation. From Adolf’s comments here I am hopeful it will become part of the code.

Rob

2 Likes

That is great to hear, both that Tim commented his code very well :+1: and that you feel able to pick up the maintenance of it :+1:

3 Likes

I was following the instructions to install iptables blocklist

but it was not successfull.
I now get only errro “software error:” when try to start this addon inside the the gui → firewall / .ip-blocklist

Can’t open IP Tables stats file: No such file or directory at /srv/web/ipfire/cgi-bin/blocklist.cgi line 103.
a lot of text with …0.0.0.0/0.0.0.0 … inside the Browser
Can someone help me to solve the problem please ?

Hi @hopsele

Welcome to the IPFire community.

You do not need to download and install from that github site anymore.

Since Core Update 170 the IP Blocklists capability has been built into IPFire. See the following wiki page.

https://wiki.ipfire.org/configuration/firewall/ipblocklist

2 Likes

The version of ipfblocklist you were trying to install has been superseded by the ipfire version which as Adolf says has been included since Core Update 170.

What version of IPfire are you running?

Rob

1 Like

Hello and thank you for trying to help
IPFire-Version → IPFire 2.27 (x86_64) - core180
Packfire-Version → Linux ipfire.fritz.box 6.1.45-ipfire #1 SMP PREEMPT_DYNAMIC Tue Aug 15 21:32:54 GMT 2023 x86_64 AMD GX-412TC SOC
Kernelversion → AuthenticAMD GNU/Linux
Can you explain how to remove the not working module ip-blacklist ?

Hi @hopsele
I’m thinking this might do the trick …
There is an uninstall-blocklist.sh file at https://github.com/timfprogs/ipfblocklist install-blocklist.sh
Use the To install instructions but change the shell script from install-blocklist.sh to uninstall-blocklist.sh

Hi Rainer,
I no longer have any installations of the original ipfblocklist so I cannot test this on anything here, but there is an “uninstall-blocklist.sh” file on the github site which you could try downloading and running on your installation which I see already has the current ipblocklist installed (core180).

I cannot remember if this uninstall file is downloaded automatically during installation so it might already be available.

Rob

I found a solution to uninstall the add-on ipfblocklist from github
wget https://github.com/timfprogs/ipfblocklist/raw/master/uninstall-blocklist.sh
chmod +x uninstall-blocklist.sh
./uninstall-blocklist.sh

i will now try to find the way to add individuals blocklists for ip addresses and ranges

1 Like