Re: Using dynamic IP lists to block forwarding

["Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>]

On Tue, 9 Jan 2018 16:24:50 +0000
Dave Osbourne <dave@osbourne.uk.eu.org> wrote:

> Ah - I looked at that (ipset) - didn't even know it existed...!!
> 
> I'm getting a lot of resistance from our outsourced IT supplier on 
> this...  the excuses are variously:
> 
> * block based on SRCIP being in <insert unfriendly state here> or
> * why don't you migrate to Office365 or
> * don't worry if you patch regularly and have a good passwd policy then 
> just let the traffic come
> 
> all completely pointless given the constrains and facts of the case.

I would say lack of awareness is the main reason they resist. The same lack of awareness and the dearth of easy-to-admin firewalls is the main reason there are still so many bot nets, so much malware, and so many miscreants around the internet. Another reason is that far too many people believe that end-to-end encryption will solve most of the problems of the internet; but they are wrong. TLS-everywhere has one major drawback; it prevents owners of private internets (like you and me) from detecting and blocking malware and micreants from crossing our perimeter firewalls. The correct solution is host-to-gateway, gateway-to-gateway, and gateway-to-host encryption; OE would allow owners and operators of private networks to prevent malware and miscreants from entering--and leaving--their networks.

> Does *anyone* have some kind of a reference or best practice for this, 
> or their own motivation even?

Maybe more than you wanted, but a little knowledge can go a long way. Do these first thing in mangle:PREROUTING; in short, drop traffic you already know you don't want as early as possible in netfilter; waste not one extra CPU cycle processing such packets.
  - DROP all INVALID packets; netfilter doesn't know why they arrived nor where they should
    go, so just drop them.
  - Determine countries you *never* want to exchange traffic with and DROP packets to and from
    those IPs. But be aware. Sometimes apparently legitimate sites (like alibaba and linux-questions)
    will be blocked.
  - I made a simple mod for Smoothwall Express that automates block sets; it can probably be easily
    adapted for general netfilter use. It uses the Exploited Servers, Chinese, Nigerian, Russian
    and LACNIC lists from wizcrafts. The sets are auto-updated daily. I had also used the 90-day
    list from openbl for a while. The problem with some of these blocklists is that they
    occasionally get *too* zealous and block legitimate sites. So I added admin whitelisting
    capability. And then added admin blocklist capability for completeness. The set of blocklists
    to be used is configurable. It's fairly easy to add parsers for other list formats.
  - GAR is another Smoothwall Express mod, but is closely tied to Smoothwall; I mention it because
    I think it does almost exactly what you want. It watches snort/suricata alerts and drops
    packets for a period of time to and from any IP that causes an alert. Theory: if you see
    someone outside your home checking the locks on your windows, will you let him in your front
    door if he knocks? Of course not. So if a host (IP addr) probes your network for services that
    don't exist (such as SQL, ftpd, telnetd), or tries a known exploit, don't let any packets go
    to or from that IP for some specified period of time.
  - DROP all traffic to and from TEST NET addresses and other address blocks that should never
    be routed.
  - DROP all internet-side traffic to and from private addresses unless you know that there are some
    private LANs between you and the actual internet.

This should help you to significantly reduce traffic to and from scruffy-looking sites.

N