Comment by Fnoord

5 days ago

I don't have a filter list for compromised proxy servers and VPNs. Do you have a link? I'd be interested in logging such. For Tor, I use [1] (formats in json, txt, md) on OPNsense, but I've also been able to indeed simply parse ASNs (which I currently use for "Twitter, Inc.").

> Preemptively banning all bad-reputation cloud IP ranges except whitelisted hosts has zero impact on clients. =3

This. There's outbound and inbound, and it is very unlikely your print server requires connections from Russia or China (to name an example). You're probably better off making a whitelist, jumphost, or using a VPN with proper authentication to access your services.

Outbound, now that is more difficult to assess. On a desktop, I like a personal firewall for that purpose. Little Snitch on macOS and Open Snitch on Linux have helped me a lot here, but ultimately your hardware firewall is probably lenient on outgoing connections, when you should ask yourself does my network require this, or are they better off with only a HTTP(S) proxy by default?

[1] https://github.com/7c/torfilter

1 comment

Fnoord

Reply
Joel_Mckay  4 days ago

>I don't have a filter list for compromised proxy servers and VPNs.

Someone just joined the nuisance forums, and grabs the same Socks/Telegram proxy list they all use (mostly old infected/open servers.) When it comes to firewall rules it is a sensitive matter, and depends on the firewall setup (black-hole bans are generally considered rude, as even handshakes are lost.)

For fairly recent personal ban lists could try:

https://github.com/bitwire-it/ipblocklist

https://www.iblocklist.com/lists

And a Pi-hole router as a DNS sinkhole:

https://github.com/pi-hole/pi-hole

Sanitizing IP lists both before and after parsing is important, and checking for malformed or whitelisted blocks is wise.

>Outbound, now that is more difficult to assess

SELinux and firewall rules will handle that just fine for services, but is cumbersome for desktop users. In general, most just try "unshare -r -n /home/$USER/someApp" or a sandbox/VM to prevent some useful user-space program from connecting to the web.

Dumping local traffic with wireshark or iftop is also rather common practice.

Best of luck, =3