I appreciate everyone’s use case will vary but could the ipfire team provide some general recommendations for which blocklists to enable. For example, I notice that the emerging threatlists incorporate other blocklists and therefore seem good ones to enable.
Perhaps, the ipfire team (or someone else) could recommend one blocklist in each category for a home or small office implementation of ipfire?
That isn‘t needed I‘d say. You could just activate all and let it run. Either you run into inaccessible sites or you have it active for a couple of hours check the protocols. You get a nice list of actual hits for each blocklist. Then you can curate your individual installation.
The list category is a guide to how a list is generated. A reputation list trades off protection against false positives, so it is less likely to block addresses that have both good and bad traffic, but that means that it will not react as quickly to new threats compared to some of the other lists, but this lists all have their own purposes - you shouldn’t just enable one from each category. Ideally follow the link and try to understand what the list is meant to do before you decide whether to enable it or not.
Don’t enable all the lists - some of them are included in others.
BOGON_FULL includes BOGON
FEODO_AGGRESSIVE include FEODO_IP which includes FEODO_RECOMENDED
TOR_ALL includes TOR_EXIT
in general the first of each of these groups blocks more addresses, which provides better protection, but is more likely to block sites when it shouldn’t.
Don’t use the TOR lists if you’re using Tor.
The BOGON lists can completely block access to the internet if your RED interface uses one of the public IP address ranges (like 192.168. or 10.), but should be enabled otherwise.
EMERGING_FWRULE is a composite of some of the other lists, but updates only once a day (most of the lists can update several times a day).
RE: BOGON Blocking access to internet …
Since the BLOCKLISTIN / BLOCKLISTOUT iptables chains do a return for these (see below) before actually applying the ipblocklists, it’s unlikely to cause an issue …
RETURN all – 10.0.0.0/8 anywhere
RETURN all – 172.16.0.0/12 anywhere
RETURN all – 192.168.0.0/16 anywhere
RETURN all – 100.64.0.0/10 anywhere
Of course, this circumvents some of the entries in the BOGON* IP Block Lists