Adding a blocklist to /etc/csf/blocklists fails
Posted: 18 Nov 2020, 03:04
In csf.conf I have
LF_IPSET = "1"
LF_IPSET_HASHSIZE = "1024"
LF_IPSET_MAXELEM = "65536"
I have several public blocklists enabled, namely ABDE, BDEALL, SPAMDROP, etc., all of which have been working correctly on csf with ipset for several years. At this point, I don't recall precisely what I had to do to set it up initially. I thought all I did was uncomment a line in /etc/csf/blocklists to enable each list.
Today I added a personal blocklist to /etc/csf/blocklists on a line coded as follows:
MYLIST|3600|0|http://www.mysite.com/blocklists/mylist.txt
(mylist.txt contains 4 entries. )
(I have obfuscated the URL to avoid attracting hits on the page. The location of the page appears to be irrelevant to the discussion.)
I then restarted csf, followed by lfd, per instructions in /etc/csf/blocklists.
The result lines logged into lfd.log:
...
Nov 17 18:45:58 ocahui lfd[20195]: Retrieved and blocking blocklist MYLIST IP address ranges
Nov 17 18:45:58 ocahui lfd[20195]: IPSET: loading set new_MYLIST with 4 entries
Nov 17 18:45:58 ocahui lfd[20195]: IPSET: switching set new_MYLIST to bl_MYLIST
Nov 17 18:45:58 ocahui lfd[20195]: *Error* IPSET: [ipset v7.1: Sets cannot be swapped: the second set does not exist]
...
I checked the content of /var/lib/csf/csf.block.MYLIST and find it contains the exact same set of 4 subnets in CIDR notation listed in mylist.txt on my site. Therefore, I conclude that the download part of the list blocking was carried out correctly. However, csf/lfd does not create the set bl_MYLIST, as indicated by the log, whereas new_MYLIST evidently is created. It is all a bit baffling to me.
LF_IPSET = "1"
LF_IPSET_HASHSIZE = "1024"
LF_IPSET_MAXELEM = "65536"
I have several public blocklists enabled, namely ABDE, BDEALL, SPAMDROP, etc., all of which have been working correctly on csf with ipset for several years. At this point, I don't recall precisely what I had to do to set it up initially. I thought all I did was uncomment a line in /etc/csf/blocklists to enable each list.
Today I added a personal blocklist to /etc/csf/blocklists on a line coded as follows:
MYLIST|3600|0|http://www.mysite.com/blocklists/mylist.txt
(mylist.txt contains 4 entries. )
(I have obfuscated the URL to avoid attracting hits on the page. The location of the page appears to be irrelevant to the discussion.)
I then restarted csf, followed by lfd, per instructions in /etc/csf/blocklists.
The result lines logged into lfd.log:
...
Nov 17 18:45:58 ocahui lfd[20195]: Retrieved and blocking blocklist MYLIST IP address ranges
Nov 17 18:45:58 ocahui lfd[20195]: IPSET: loading set new_MYLIST with 4 entries
Nov 17 18:45:58 ocahui lfd[20195]: IPSET: switching set new_MYLIST to bl_MYLIST
Nov 17 18:45:58 ocahui lfd[20195]: *Error* IPSET: [ipset v7.1: Sets cannot be swapped: the second set does not exist]
...
I checked the content of /var/lib/csf/csf.block.MYLIST and find it contains the exact same set of 4 subnets in CIDR notation listed in mylist.txt on my site. Therefore, I conclude that the download part of the list blocking was carried out correctly. However, csf/lfd does not create the set bl_MYLIST, as indicated by the log, whereas new_MYLIST evidently is created. It is all a bit baffling to me.