#Blacklist management

1 messages · Page 1 of 1 (latest)

warped prism
#

Hello,
Since few version ago, I saw that crowdsec firewall bouncer use multiple ipset to store IP that we have to block (crowdsec-blacklists-XXX) instead of 1 on older version
Is it possible to have some explanation about why we have multiple ipset and if it's possible to predict the number of ipset list created ?
The goal is to script the iptables rules created by myself and be sure that I don't forget ipset.
Currently, I see 2 blacklist, which are crowdsec-blacklists-0 and crowdsec-blacklists-1. Is there a chance that in the futur, Crowdsec firewall bouncer will create a new one like crowdsec-blacklists-2 ?
Thanks in advance for your help

atomic sundialBOT
#
Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

© Created By WhyAydan for CrowdSec ❤️ ·
willow ether
#

Is it possible to have some explanation about why we have multiple ipset
Yes because the newer firewall supports sending metrics to then LAPI so if you run cscli metrics you can see the amount of dropped packets and processed packets per origin.

because we need to know which origin the remediation has enforced we split the ipset into multiple. AFAIK and I can ask @cunning crescent there will be only 2 but there could be more depending on limits set in the firewall configuration on ipset limits? but I reffer to blotus on that one.

cunning crescent
#

Hey,

We create one set per decision origin (origin being the source of the decision: CAPI, a 3rd party blocklist, a local decision, a manual one, ...)

We use numbers to identify the sets when in iptables mode because a set name cannot be longer than 32 characters (if you want to know which set handles which origin, you can refer to the log of the bouncer, we log the set name and corresponding origin when creating it)

Predicting the number of sets is not really possible: each time a new origin appears, we'll create a new one (in your case, you have 2, so I guess you only have decisions from crowdsec and CAPI, if you run cscli decisions add -i x.x.x.x you will see a 3rd set as decisions from cscli are considered as being from another origin)

If you want to have more control over the rules, you can configure the bouncer to run in ipset mode: in this case, we only manage a single set content: you have to care of creating it before hand and use it as you see fit in your rules, the bouncer will just add and remove IPs from it (you will lose detailed block metrics in cscli metrics show bouncers because we can no longer track the origin of a dropped packet)