{"id":22582278,"url":"https://github.com/poddmo/ufw-blocklist","last_synced_at":"2026-01-30T13:02:59.324Z","repository":{"id":40602795,"uuid":"507731292","full_name":"poddmo/ufw-blocklist","owner":"poddmo","description":"IP blocklist extension for Ubuntu ufw firewall","archived":false,"fork":false,"pushed_at":"2025-03-21T05:46:14.000Z","size":59,"stargazers_count":166,"open_issues_count":5,"forks_count":25,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-08-05T02:46:16.939Z","etag":null,"topics":["firewall","ip-blocklist","ipset","linux","network","network-security","security","ubuntu","ufw"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/poddmo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-06-27T01:56:06.000Z","updated_at":"2025-08-03T03:22:02.000Z","dependencies_parsed_at":"2023-08-22T01:33:18.279Z","dependency_job_id":"d10fde31-dd5a-415a-81fb-32a7912e22b3","html_url":"https://github.com/poddmo/ufw-blocklist","commit_stats":null,"previous_names":["poddmo/ufw-blocklist"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/poddmo/ufw-blocklist","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/poddmo%2Fufw-blocklist","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/poddmo%2Fufw-blocklist/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/poddmo%2Fufw-blocklist/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/poddmo%2Fufw-blocklist/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/poddmo","download_url":"https://codeload.github.com/poddmo/ufw-blocklist/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/poddmo%2Fufw-blocklist/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28913306,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-30T12:13:43.263Z","status":"ssl_error","status_checked_at":"2026-01-30T12:13:22.389Z","response_time":66,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["firewall","ip-blocklist","ipset","linux","network","network-security","security","ubuntu","ufw"],"created_at":"2024-12-08T06:02:26.882Z","updated_at":"2026-01-30T13:02:59.269Z","avatar_url":"https://github.com/poddmo.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# ufw-blocklist\nAdd an IP blocklist to ufw, the uncomplicated Ubuntu firewall\n* integrates into ufw for pure Ubuntu\n* blocks inbound, outbound and forwarding packets\n* uses [Linux ipsets](https://ipset.netfilter.org/) for kernel-grade performance\n* the IP blocklist is refreshed daily\n* the IP blocklist is sourced from [IPsum](https://github.com/stamparm/ipsum)\n* ufw-blocklist is tested on:\n  * Armbian 22.05.3 Focal (based on Ubuntu 20.04.4 LTS (Focal Fossa))\n  * Ubuntu 22.04 LTS (Jammy Jellyfish)\n  * Ubuntu 24.04 LTS (Noble Numbat) - reported by @koenr\n\n**This blocklist is _very_ successful at dropping a lot of uninvited traffic.** It has been intentionally designed to be very light on resource requirements and zero maintenance as the initial target platform was a single-board computer operating as a home internet gateway. After the initial installation, there are no further writes to the storage system to preserve solid state storage. I would now highly recommend it for any Ubuntu host that has a public IP address or is otherwise exposed directly to the internet, for example, by port forwarding.\n\n# Installation\nInstall the ipset package\n```\nsudo apt install ipset\n```\n\nBackup the original ufw `after.init` example script\n```\nsudo cp /etc/ufw/after.init /etc/ufw/after.init.orig\n```\n\nInstall the ufw-blocklist files\n```\ngit clone https://github.com/poddmo/ufw-blocklist.git\ncd ufw-blocklist\nsudo cp after.init /etc/ufw/after.init\nsudo cp ufw-blocklist-ipsum /etc/cron.daily/ufw-blocklist-ipsum\nsudo chown root:root /etc/ufw/after.init /etc/cron.daily/ufw-blocklist-ipsum\nsudo chmod 750 /etc/ufw/after.init /etc/cron.daily/ufw-blocklist-ipsum\n```\n\nDownload an initial IP blocklist from [IPsum](https://github.com/stamparm/ipsum)\n```\ncurl -sS -f --compressed -o ipsum.4.txt 'https://raw.githubusercontent.com/stamparm/ipsum/master/levels/4.txt'\nsudo chmod 640 ipsum.4.txt\nsudo cp ipsum.4.txt /etc/ipsum.4.txt\n```\nStart ufw-blocklist\n```\nsudo /etc/ufw/after.init start\n```\nIt takes time to load the blocklist entries into the ipset. Watch the progress with \n```\nsudo ipset list ufw-blocklist-ipsum -terse | grep 'Number of entries'\n```\n\n# Usage\nThe blocklist is automatically started and stopped by ufw using the enable, disable and reload options. See the [Ubuntu UFW wiki page](https://help.ubuntu.com/community/UFW) for help getting started with ufw.\n\nThere are 2 additional `after.init` commands available: status and flush-all\n- The **status** option shows the count of entries in the blocklist, the hit count of packets that have been blocked and the last 10 log entries. The status option is further explained in the [Status](#status) section below.\n- The **flush-all** option deletes all entries in the blocklist and zeros the iptables hit counters:\n```\nsudo /etc/ufw/after.init flush-all\n```\nFrom this state you can manually add IP addresses to the list like this:\n```\nsudo ipset add ufw-blocklist-ipsum a.b.c.d\n```\nThis is useful for testing. Use `/etc/cron.daily/ufw-blocklist-ipsum` to download the latest list and fully restore the blocklist.\n\n# Status\nCalling `after.init` with the status option displays the current count of the entries in the blocklist, the hit counts on the firewall rules (column 1 is hits, column 2 is bytes) and the last 10 log messages. Here is a sample output:\n```\nuser@ubunturouter:~# sudo /etc/ufw/after.init status\nName: ufw-blocklist-ipsum\nType: hash:net\nRevision: 6\nHeader: family inet hashsize 4096 maxelem 65536\nSize in memory: 357312\nReferences: 3\nNumber of entries: 12789\n   76998  4403836 ufw-blocklist-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ufw-blocklist-ipsum src\n       4      160 ufw-blocklist-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ufw-blocklist-ipsum dst\n      11      868 ufw-blocklist-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0            match-set ufw-blocklist-ipsum dst\nSep 24 06:25:01 ubunturouter ufw-blocklist-ipsum[535172]: starting update of ufw-blocklist-ipsum with 12654 entries from https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt\nSep 24 06:26:02 ubunturouter ufw-blocklist-ipsum[547387]: finished updating ufw-blocklist-ipsum. Old entry count: 12654 New count: 12181 of 12181\nSep 24 22:23:21 ubunturouter kernel: [UFW BLOCKLIST FORWARD] IN=eth1 OUT=ppp0 MAC=11:22:33:44:55:66:77:88:99:00:aa:bb:cc:dd SRC=192.168.1.11 DST=194.165.16.37 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=51413 DPT=65058 WINDOW=0 RES=0x00 ACK RST URGP=0\nSep 25 06:25:02 ubunturouter ufw-blocklist-ipsum[598717]: starting update of ufw-blocklist-ipsum with 12181 entries from https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt\nSep 25 06:26:07 ubunturouter ufw-blocklist-ipsum[611761]: finished updating ufw-blocklist-ipsum. Old entry count: 12181 New count: 13008 of 13008\nSep 25 21:19:42 ubunturouter kernel: [UFW BLOCKLIST FORWARD] IN=eth1 OUT=ppp0 MAC=11:22:33:44:55:66:77:88:99:00:aa:bb:cc:dd SRC=192.168.1.11 DST=45.227.254.8 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=51413 DPT=65469 WINDOW=0 RES=0x00 ACK RST URGP=0\nSep 25 21:19:45 ubunturouter kernel: [UFW BLOCKLIST FORWARD] IN=eth1 OUT=ppp0 MAC=11:22:33:44:55:66:77:88:99:00:aa:bb:cc:dd SRC=192.168.1.11 DST=45.227.254.8 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=51413 DPT=65469 WINDOW=0 RES=0x00 ACK RST URGP=0\nSep 25 21:19:51 ubunturouter kernel: [UFW BLOCKLIST FORWARD] IN=eth1 OUT=ppp0 MAC=11:22:33:44:55:66:77:88:99:00:aa:bb:cc:dd SRC=192.168.1.11 DST=45.227.254.8 LEN=40 TOS=0x00 PREC=0x00 TTL=62 ID=0 DF PROTO=TCP SPT=51413 DPT=65469 WINDOW=0 RES=0x00 ACK RST URGP=0\nSep 26 06:25:02 ubunturouter ufw-blocklist-ipsum[661335]: starting update of ufw-blocklist-ipsum with 13008 entries from https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt\nSep 26 06:26:06 ubunturouter ufw-blocklist-ipsum[674158]: finished updating ufw-blocklist-ipsum. Old entry count: 13008 New count: 12789 of 12789\n```\n- Hits on the OUTPUT or FORWARD drop rules may indicate an issue with an internal host and are logged. In the example status shown above, the hits on the FORWARD rule are related to an internal torrent client.\n- INPUT hits are not logged. The status output above shows **76998 dropped INPUT packets** after the system has been up 9 days, 22:45 hours.\n\n# Todo\nThese scripts have run flawlessly for 4 years. The next steps are to generalise the blocklist case to arbitrary ipsets, for example, to block bogans or by geoblock\n- move config to /etc/defaults/ufw-blocklist\n  - refactor code: centralise config, rename/standardise variables\n- rework scripts to handle multiple blocklists: move after.init_run-parts into after.init, create lighter version of after.init to run from after.init.d\n- test and document geo-block example for blocking geographic subnets. Geo-based blocks are useful for blocking botnets or \"citizen activists.\" Geo-based subnets can be found at:\n  - https://www.ip2location.com/free/visitor-blocker\n  - https://www.ipdeny.com/ipblocks/\n- test and document blocking bogan IP addresses. Bogon lists can be found at:\n  - FireHOL includes fullbogons: https://iplists.firehol.org/\n  - so does team Cymru. See fullbogons at: https://www.team-cymru.com/bogon-reference-http\n- develop a whitelist: firstly for anti-lockout protection when using bogon blocklistsa and then aim for a principle of least privilige position starting from deny all and only allowing from whitelists\n- develop test of entries as valid cidr addresses - replace existing ip address regex with cidr address regex\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpoddmo%2Fufw-blocklist","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fpoddmo%2Fufw-blocklist","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fpoddmo%2Fufw-blocklist/lists"}