Weird behaviour all IPs get blocked

mugabemkomo

Hi,
so I recently am using this plugin, but I noticed when I add: https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
as IP blocklist ALL IPs get blocked.
Surprisingly some other from Spamhouse work without problems.

As soon as I enable this and reload ip, nothing resolves anymore, well except the list itself.

Any idea?

edit: this works https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
but not the level1 version

BBcan177

The lvl1 feed shouldn't be used for outbound since it includes bogons.

mugabemkomo

I tried deny inbound and outbound, with the same results unfortunately

mugabemkomo

Well it is definitly the bogons, once I add https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
I get the same results.
Is there any way to add the level1 set somehow? I thought a lot of users have this list added, am I the only one having this problem?

BBcan177

I'd recommend these PRI1 Feeds:

https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist.csv
or https://sslbl.abuse.ch/blacklist/dyre_sslipblacklist_aggressive.csv

https://feodotracker.abuse.ch/blocklist/?download=badips
https://feodotracker.abuse.ch/blocklist/?download=ipblocklist
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

https://sslbl.abuse.ch/blacklist/sslipblacklist.csv
or https://sslbl.abuse.ch/blacklist/sslipblacklist_aggressive.csv

https://zeustracker.abuse.ch/blocklist.php?download=badips
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist

https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist-high.txt
or https://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt

https://cinsarmy.com/list/ci-badguys.txt
https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
https://rules.emergingthreats.net/blockrules/compromised-ips.txt
https://isc.sans.edu/api/sources/attacks/1000/
https://isc.sans.edu/feeds/block.txt
https://www.spamhaus.org/drop/drop.txt
https://www.spamhaus.org/drop/edrop.txt
http://talosintel.com/feeds/ip-filter.blf

mugabemkomo

Thanks, I added a few of those and also these lists from firehol
bambenek_c2 dshield feodo
palevo spamhaus_drop spamhaus_edrop sslbl
zeus_badips ransomware_rw

BBcan177

The feeds you indicate are already in the list above. Keep in mind I am listing the original source of the Feeds. Also note some feeds have an alternate (typically more aggressive) feed.

morreale

@BBcan177:

I'd recommend these PRI1 Feeds:

What does PRI1 mean?

BBcan177

@morreale:

@BBcan177:

I'd recommend these PRI1 Feeds:

What does PRI1 mean?

PRI1 is the IPv4 Aliasname that I use for the Primary-1 recommended feeds…