Thanks Jordan, i will look at those links. On Sat, 25 Aug 2018, 10:31 Jordan Geoghegan, <jgeoghega...@gmail.com> wrote:
> You may want to check out the more recent guides I wrote for the updated > version of these scripts: > > www.geoghegan.ca/unbound-adblock.html > > www.geoghegan.ca/pfbadhost.html > > > On 08/24/18 06:32, jin&hitman&Barracuda wrote: > > Hello > > > > Thanks for sharing all those informations. I've been looking a way to > > create a blacklist and you sent this mail just on time. Your web page > > help me a lot. > > On the OpenBSD your script do all jobs but on linux based systems I > > wrote a shell script for update iptables rules. > > > > > http://analog-radyo.blogspot.com/2018/08/dynamic-block-list-on-linux-iptables.html > > > > > > Jordan Geoghegan <jgeoghega...@gmail.com > > <mailto:jgeoghega...@gmail.com>>, 30 Ara 2017 Cmt, 01:52 tarihinde > > şunu yazdı: > > > > Hi everyone, > > > > Due to the number of people who have requested my add-blocking > > scripts, > > I figured I would also post them to @misc so anyone can easily enjoy > > network-wide bad-host/add-blocking. > > > > I won't go into detail on how to set up routing/dhcp/unbound/anchors > > etc, for that see: https://www.openbsd.org/faq/pf/example1.html > > > > I've included some example files from my an Edgerouter I have set > > up . > > They are trimmed down for brevities sake; the conf files are not > > production ready, these are merely examples. > > > > This setup is easily customizable, if you come across any other block > > lists you prefer, then they can be dropped in no problem. I chose > > to use > > solely the StevenBlack hosts file because it is a master list > > compiled > > from all the major banlists found in popular blocking products > > such as > > uBlock Origin, Addblock Plus et al. I also chose this file because > > it is > > filtered for duplicates as unbound(8) is said to struggle when > > there are > > redundancies in the blocklists, I'm told -- though I've never had > > any issue. > > > > You're going to have to read the scripts and create the > > directories the > > scripts are calling and edit the anchor macros to fit your interface > > layout (I doubt everyone here is running cnmac0 as egress) and > > also will > > have to make the scripts executable and set them to run at regular > > intervals with crontab, ideally nightly. > > > > I didn't make these scripts intelligent because I figured it was > > simpler > > to just run mkdir once rather than add extra lines to the script. > > > > I know the pf.conf is fairly long, I thought I would show an > > example of > > my prio and queing setup as an example, or conversely to see if > > anyone > > can poke any holes in it. > > > > All the relevant bits regarding the anchors and blocklists are > > found at > > the end of the pf.conf file. See below that for the anchor conf files > > we're calling as well. > > > > Hope this helps, > > > > Jordan Geoghegan > > > > > > First, the scripts: > > > > *DNS addblock script:* > > > > StevenBlack.sh: > > > > cd /var/unbound/etc/banlist && \ > > ftp > > https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts && > \ > > cat hosts | grep '^0\.0\.0\.0' | awk '{print "local-zone: \""$2"\" > > redirect\nlocal-data: \""$2" A 0.0.0.0\""}' > ads.conf > > rcctl reload unbound > > > > ### > > > > *IP based malicious IP blocking:* > > > > banlist.sh: > > > > cd /etc/blocklist && ftp https://www.binarydefense.com/banlist.txt\ > > && <https://www.binarydefense.com/banlist.txt%5C&&;> ftp > > https://rules.emergingthreats.net/blockrules/compromised-ips.txt\ > > && > > < > https://rules.emergingthreats.net/blockrules/compromised-ips.txt%5C&&;> > > ftp > https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt\ > > && > > < > https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt%5C&&;> > > ftp > > > https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset\ > > && > > < > https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset%5C&&; > > > > pfctl -a banlist -f /etc/banlist.conf > > > > ### > > > > As you can see, we are going to have to make an anchor in pf called > > 'banlist' and modify the unbound.conf to load our banlist 'ads.conf' > > > > If that's all you need, then you're pretty much good to go. If you > > would > > like to see my example conf files, see below. > > > > * > > > > > > Example unbound.conf:* > > > > # $OpenBSD: unbound.conf,v 1.7 2016/03/30 01:41:25 sthen Exp $ > > > > server: > > interface: 172.17.17.1 > > interface: 127.0.0.1 > > access-control: 172.17.17.0/24 <http://172.17.17.0/24> allow > > access-control: 172.17.0.0/24 <http://172.17.0.0/24> allow > > do-not-query-localhost: no > > hide-identity: yes > > hide-version: yes > > include: /var/unbound/etc/banlist/ads.conf > > > > forward-zone: > > name: "." > > forward-addr: UR.DNS.GO.HERE > > forward-addr: UR.DNS.GO.HERE > > > > ### > > > > > > *Example pf.conf:* > > > > # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ > > # > > # See pf.conf(5) and /etc/examples/pf.conf > > > > # By default, do not permit remote connections to X11 > > block return in on ! lo0 proto tcp to port 6000:6010 > > # > > ext_if="{ cnmac0 }" > > int_if="{ cnmac1 cnmac2 }" > > lan_if="{ cnmac1 }" > > wifi_if="{ cnmac2 }" > > goodguys="{ 172.17.17.0/24 <http://172.17.17.0/24> }" > > wifiguys="{ 172.17.0.0/24 <http://172.17.0.0/24> }" > > chromecast="{ 172.17.0.12 172.17.0.13 172.17.0.23 }" > > xbox360="{ 172.17.0.19 }" > > printer="{ 172.17.0.17 }" > > Jordan="{ XXX.XX.XXX.XX }" > > > > table <martians> { 0.0.0.0/8 <http://0.0.0.0/8> 10.0.0.0/8 > > <http://10.0.0.0/8> 127.0.0.0/8 <http://127.0.0.0/8> > > 169.254.0.0/16 <http://169.254.0.0/16> \ > > 172.16.0.0/12 <http://172.16.0.0/12> 192.0.0.0/24 > > <http://192.0.0.0/24> 192.0.2.0/24 <http://192.0.2.0/24> > > 224.0.0.0/3 <http://224.0.0.0/3> \ > > 192.168.0.0/16 <http://192.168.0.0/16> 198.18.0.0/15 > > <http://198.18.0.0/15> 198.51.100.0/24 <http://198.51.100.0/24> \ > > 203.0.113.0/24 <http://203.0.113.0/24> } > > > > > > # Queue List [ Download ] > > queue download on cnmac2 bandwidth 70M max 70M > > queue media-down parent download bandwidth 20M min 5M max 20M > > burst 24M for 200ms > > queue xbox-down parent media-down bandwidth 4M max 4M burst 8M for > > 200ms > > queue chrome-down parent media-down bandwidth 16M max 16M burst > > 20M for 225ms > > queue std-down parent download bandwidth 50M min 5M max 50M burst > > 70M for 500ms default > > > > > > set block-policy drop > > set loginterface egress > > set skip on lo0 > > match in all scrub (no-df random-id max-mss 1440) > > match out on egress inet from !(egress:network) to any nat-to > > (egress:0) > > block in quick on egress from <martians> to any > > block return out quick on egress from any to <martians> > > block quick inet6 > > block all > > > > # A bit of edgy prio and bandwidth queuing, I felt like taking pf > > out for a test drive here > > > > pass in on $lan_if from $goodguys tag LAN set prio 6 > > pass in on $wifi_if from $wifiguys tag WIFI modulate state set > > queue std-down > > pass in on $wifi_if from $chromecast tag CHROME modulate state set > > prio 2 \ > > set queue chrome-down > > block out on $lan_if tagged WIFI > > block out on $lan_if tagged CHROME > > antispoof for { egress cnmac0 cnmac1 cnmac2 lo0 } > > pass in quick on $ext_if from $Jordan to any tag Jordan > > block in on $ext_if proto { tcp udp } from any to any port ssh ! > > tagged Jordan > > pass out on $ext_if inet > > > > > > # Printers Ruleset | Block Printer on Egress && allow > > $goodguys subnet > > block out on $ext_if from $printer to any > > pass out quick on $wifi_if from $goodguys to $printer > > > > # Spammers > > anchor banlist > > load anchor banlist from "/etc/banlist.conf" > > > > # DNS Redirect > > anchor dns > > load anchor dns from "/etc/dns-redirect.conf" > > > > > > ### > > > > *Anchor banlist.conf:* > > > > > > # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ > > # > > ## Spammers ## > > > > table <banlist> persist file "/etc/blocklist/banlist.txt"\ > > file "/etc/blocklist/compromised-ips.txt"\ > > file "/etc/blocklist/emerging-Block-IPs.txt"\ > > file "/etc/blocklist/firehol_level3.netset" > > block in on egress from <banlist> to any > > block out log on egress from any to <banlists> > > > > > > #### > > > > *Anchor dns-redirect.conf:*** > > > > > > # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $ > > # > > > > wifi_lan="{ cnmac2 }" > > > > # DNS Redirect > > pass in on $wifi_lan proto { tcp udp } from any to \ > > { 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 209.244.0.3 } port > > 53 \ > > tag google rdr-to 172.17.17.1 > > > > # I added this because several devices were aggressively pinging > > 8.8.8.8 on my network and it was annoying me > > pass in on $wifi_lan from any to \ > > { 8.8.8.8 8.8.4.4 } \ > > tag google rdr-to 172.17.17.1 > > > > > > > > > > > > -- > > /There is no place like "/home"/ > > /Tuco (Benedicto Pasifico Juan Maria) Ramirez/ > >
