We have everything running…
But need to query if an IP is blocked (from command line).
There appears to not be any zone for the blocked attackers… or at least I cannot figure out what it is.
fwconsole firewall list blacklist only works to show blacklisted IP (which are manually added).
fwconsole firewall list blocked does not work, as blocked is not a valid zone.
How do we list the blocked attackers from command line?
Depending on the answer to #1, to add and remove an IP from command line, you need the zone.
Hosts detected by the Responsive firewall are in various files in this folder:
/proc/self/net/xt_recent
You can grep ATTACKER for ip addresses, which will include the blocked hosts, but will also include hosts that have been recently unblocked. Probably the easiest way to get a list of blocked hosts from the CLI is to file a feature request to have the argument added to fwconsole.
Perfect… got what we need from that.
I will put in a request (as it will be much cleaner processes then grep’ing the file.
Now, how to remove from the blacklist ?
fwconsole firewall del blacklist 1.1.1.1
Error: Host ‘1.1.1.1’ is not currently in the blacklist.
Cannot figure out what zone these are placed, as blacklist (shows as empty) and says not currently blacklisted.
I also tried attacker (and ATTACKER) as zones, but says unknown entry.
fwconsole firewall del attacker 95.218.46.86
Attempting to remove 95.218.46.86 from ‘attacker’ Zone … Unknown entry!
Hosts that Responsive Firewall classifies as blocked are not on the blacklist, so you can’t list or remove them using the fwconsole tools for the blacklist zone. It sounds like your feature request should include the ability to both list responsive blocked hosts and to remove a host from the responsive blocked list.
In the meantime, I updated the firewall to the latest version (as we were getting timeouts again and could not view IPs lists).
I see blocked attacker IPs in portal, but after the update there are now no files in /proc/self/net/xt_recent
Did they move to a new location with this latest update or is something broken?
FYI… with this latest update the overview and blocked pages are now responding instantly … never had that in prior versions.