On 2/26/23 14:04, Genes Lists wrote:
On 2/26/23 06:32, David Runge wrote:
On 2023-02-26 10:22:08 (+0100), Markus Schaaf wrote:
Am 26.02.23 um 04:00 schrieb David C. Rankin:
Arch devs,
... iptables not to block them so my logs quit filling up with errors.
I may be off base here but I'll ask anyway.
Assuming you, as is typical, primarily block SYN packets for inbound traffic, the only way WKD would likely be a problem is if you either (a) blocked outbound to the arch WKD webserver or (b) you block even RELATED,ESTABLISHED coming back.
Conceivable, but are you sure that's what your firewall rules do David? Or do you have some other problem that is causing you trouble possibly?
Aside: you may want to consider migrating to nftables - it is a very significant improvement over legacy iptables.
best,
gene
I've think I've found the IP using master-key.archlinux.org, but as you say there may be more redirects on the way. The issue is I block most of RIPE, I don't do business overseas, rarely outside Texas. I keep iptables stats on the number of intrusion attempts from RIPE, APNIC, AFRINIC, etc.. and ban large blocks of each -- which leads to problems such as this when some remote redirect goes through one the blocked ranges. My solution thus far has been to add specific ACCEPT rules for the software that needs updates, certbot, freshclam, etc... Which has worked quite well. However, like with archlinux-keyring-wkd-sync, it may not have a consistent IP or small range where it comes from. I'll try and get a better handle on what IPs are involved here and see if I can come up with one or more ACCEPT rules that will work with my setup. -- David C. Rankin, J.D.,P.E.