[BlueOnyx:26291] Re: Saving APF Blacklist opens firewall
Hi John, I'd like to counter if I may. Sure! It is taking a full minute and more to do the complete reload, in which time there are many hacking efforts at play. iptables uses chains. Instead of flushing everything and then building and adding one chain at a time: 1. Don't flush 2. Create a new chain(s) with the new rules 3. Insert the new chain(s) before the old chain 4. Remove the old chain(s) 5. Rename the new chain(s) to be the same as the old chain(s) In principle this is a good idea, but I'm not sure if I want to go there. I consider APF a legacy product that will go away in 12 months and 17 days when CentOS 7 goes EOL. APF has served us very well for many, many years. No doubt about it. Yet 12 months before its retirement isn't really the right time to start making fundamental changes to it. When you look under the hood of APF, you see that the code is quite complex and the way it is structured doesn't make inserting new chains and removing *all* previous chains that easy. And I guess that's why the original coders of APF did go the route of flushing all chains on a restart. It's doable, but at this point it might not really be worth the effort compared to the associated risks of releasing a modified APF that *might* have new flaws that were overlooked in testing. I'd rather not rock that boat. And for modern versions of BlueOnyx we already have Firewalld as a more capable replacement. -- With best regards Michael Stauber ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:26290] Re: Saving APF Blacklist opens firewall
Hi Michael, Thanks for taking the time for the very detailed and informative response. I'd like to counter if I may. It is taking a full minute and more to do the complete reload, in which time there are many hacking efforts at play. iptables uses chains. Instead of flushing everything and then building and adding one chain at a time: 1. Don't flush 2. Create a new chain(s) with the new rules 3. Insert the new chain(s) before the old chain 4. Remove the old chain(s) 5. Rename the new chain(s) to be the same as the old chain(s) This should leave the existing rules intact while the new chains are built, and the swap should be almost instantaneous. This should also mean only the relevant chain needs to be rebuilt. I do see the implementation already uses chains, so this should be a minor change to make. [root@5209r httpd]# iptables -v -t filter -S INPUT | grep -- "INPUT -c" -A INPUT -c 375197 1713824291 -j dfix -A INPUT -c 137827 30265130 -j REFRESH_TEMP -A INPUT -c 137532 30249688 -j TALLOW -A INPUT -c 137532 30249688 -j TDENY -A INPUT -c 132802 30003618 -j TGALLOW -A INPUT -c 132802 30003618 -j TGDENY -A INPUT -c 130848 29569897 -j IN_SANITY -A INPUT -c 130848 29569897 -j FRAG_UDP -A INPUT -c 130848 29569897 -j PZERO -A INPUT -c 130847 29569825 -j IDENT -A INPUT -c 130834 29567519 -j P2P -A INPUT -c 5 305 -j DROP [root@5209r httpd]# iptables -v -t filter -S OUTPUT | grep -- "OUTPUT -c" -A OUTPUT -c 126027 46200594 -j REFRESH_TEMP -A OUTPUT -c 126027 46200594 -j TALLOW -A OUTPUT -c 126027 46200594 -j TDENY -A OUTPUT -c 126026 46200542 -j TGALLOW -A OUTPUT -c 126026 46200542 -j TGDENY -A OUTPUT -c 124237 45688665 -j OUT_SANITY -A OUTPUT -c 124237 45688665 -j FRAG_UDP -A OUTPUT -c 124237 45688665 -j PZERO -A OUTPUT -c 124236 45688593 -j IDENT -A OUTPUT -c 124223 45687744 -j P2P -A OUTPUT -c 44996 5478097 -j ACCEPT [root@5209r httpd]# iptables -v -t filter -S INPUT | wc -l 172 ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:26289] Re: fail2ban loses ignore IP list
Hi Darren, I'd like to follow up on this - is 0.10.5-4 on 5209r correct or should there be a newer one? I'm currently working on an updated Firewalld package for 5209R/5210R/5211R and it should be ready sometime this week. -- With best regards Michael Stauber ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:26288] Re: Saving APF Blacklist opens firewall
Hi John, (On 5209r) I have noticed if I add an ip address to the APF Blacklist and press Save, the firewall is open during the save process. There are a lot of addresses in the firewall, and it takes several seconds to process the saving of the list. The firewall should be delaying traffic, not permitting traffic that should be blocked while the rules are activated. I believe under the hood you are using iptables? overly simplified operations should be: iptables -P INPUT DROP # disable until all block rules are in place iptables -P FORWARD DROP # disable until all block rules are in place iptables -P OUTPUT DROP # disable until all block rules are in place iptables -F # flush rules # add blocking rules for blacklist # add rule at end to permit www traffic not already blocked Indeed, APF uses "iptables" and it's the oldest firewall solution we offer for BlueOnyx. It has since then been superseded by "Firewalld", which is included in the purchase of APF, but only offered for download if the target server is a BlueOnyx 5210R or BlueOnyx 5211R. On BlueOnyx 5209R only the iptables based APF is a practical choice. And you're right: When APF is restarted, it first flushes all rules and then sets up the new rules one by one in a large loop. If you have many rules active, then this might take a moment and during that time the server is unprotected or (as more rules kick in) then gradually more and more protected. If IPs are added/removed to the whitelist or blacklist, then a full restart of APF isn't necessary. Instead just the relevant rules will be added/removed and the rest remains undisturbed. But when saving in the GUI we sort of have to hit the whole thing on the head and let APF do a full flush of the rules. We can't really avoid that. There are naturally two different general approaches possible and these revolve around different philosophies. For some users a full on and complete inaccessibility of the server during a firewall restart might be acceptable, but for most it isn't. In fact I'll always be sweating blood and water if a server I'm working on just drops off the net and stops responding. We're not really in the business of giving people heart attacks. :o) So yeah: The way it is? That's intentional to minimize disruptions and to not "rock the boat" too much. As for Firewalld on 5210R and 5211R? That uses "nftables", which is the modern replacement of "iptables". One of the really *great* benefits of it is that we can use IPsets to quickly load *massive* IP blacklists into the firewall. You can see this here for example: https://shop.blueonyx.it/catalog/product/gallery/image/216/id/200/ When you blacklist a whole country from accessing your server (especially if it's a large one such as China), then this would result in a ridiculously impractical and massive amount of iptables rules. The current ruleset we use for China has 8673 IP address ranges in it. But if we load those blocked 8673 IP address ranges as IPSet? Then it's just a single firewall related transaction that gets performed. And that's blazingly fast and efficient. Our Firewalld implementation also flushes the rules during a restart and therefore "opens up" briefly on a restart. But it's so much faster that you almost don't notice it. So yeah: We do it this way to not rock the boat. APF is great, but it's really "old technology" and once you move to a newer version of BlueOnyx, be sure to try "Firewalld" instead. Your APF purchase already gives you access to it if you'd link it to a 5210R or 5211R. -- With best regards Michael Stauber ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:26287] Re: Continuing Support for BlueOnyx: Your Help Makes a Difference!
Michael I tried to buy a php package but it times out after I click to return from paypal to https://shop.blueonyx.it/paypal/express/return/?token=EC-61G20932RX9748606&PayerID=5SREEUTSJ9S72 Also, my password reset emails for a precisionweb.net and a gmail account never came. And for selling conversions in general, my advice would be to have more details on the package, some screenshots etc. For example, I can't tell if it includes imagick (so that wordpress will not complain). Ken Marcus Precision Web Hosting, LLC On Sun, Jun 4, 2023 at 12:49 PM Michael Stauber via Blueonyx < blueonyx@mail.blueonyx.it> wrote: > Hi Meaulnes, > > > sorry dear Michael, but the payment form at > > https://www.blueonyx.it/donations doesn't accept payments from my Swiss > > AmEx credit card, it falls back to PayPal (that I hate) in the United > > States without the possibility to use a Swiss phone number... > > > > So let me know how I can proceed > If you still have the PDF of an old invoice you can use the bank details > that are listed on it for a wire transfer. Aside from Paypal that's > currently the only option. Many thanks! Much appreciated! > > -- > With best regards > > Michael Stauber > ___ > Blueonyx mailing list > Blueonyx@mail.blueonyx.it > http://mail.blueonyx.it/mailman/listinfo/blueonyx > ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
[BlueOnyx:26286] Saving APF Blacklist opens firewall
Hi, (On 5209r) I have noticed if I add an ip address to the APF Blacklist and press Save, the firewall is open during the save process. There are a lot of addresses in the firewall, and it takes several seconds to process the saving of the list. The firewall should be delaying traffic, not permitting traffic that should be blocked while the rules are activated. I believe under the hood you are using iptables? overly simplified operations should be: iptables -P INPUT DROP # disable until all block rules are in place iptables -P FORWARD DROP # disable until all block rules are in place iptables -P OUTPUT DROP# disable until all block rules are in place iptables -F # flush rules # add blocking rules for blacklist # add rule at end to permit www traffic not already blocked ___ Blueonyx mailing list Blueonyx@mail.blueonyx.it http://mail.blueonyx.it/mailman/listinfo/blueonyx
