Curious about expiration on Decisions around the 22 hour space
It seems there are 3 different groupings of expiring decisions, those around the 4 hour length, a jump up to the 22 hour length with a huge group of IPs, and then another rather large jump up to 104 with its group going on up to less than 168 hours
The 22-24 hour group, does it stay around, or do the elements in the group occasionally or often 'expire naturally'?
4 Replies
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command
/resolve or press the green resolve button below.Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Also to any "why is he doing this?"
The default placement of the firewall for CrowdSec on the OPNSense is not optimal for my setup so I have my own lists which get grouped as one list as the OPNSense does its API triggered 'reconfigure' for PF/pfctl faster if the lists that are being reconfigured are smaller (a huge 50k+ list takes a while to reconfigure)
4h are likely the automated decisions made by crowdsec (it's the default configuration)
24h are the blocklists you have subscribed to in the console: they are refreshed every 24h on our side, and crowdsec will pull the new version when there's is less than 2h left for the decisions from the previous pull: the duration for a decision will always be set to 24h
168h is one week, the maximum duration for an IP in the community blocklist (an IP can stay in it longer as long as we receive signals about it, but the actual duration is capped to one week): the pull is performed every 2 hours, and each IP will have a different expiration
for any doing anything like this, just split your lists by origin, and if the origin is 'lists' then add
_ + scenario (note 'manual...' has a lot of extra text so just mod it back to 'manual')
working quite well now, thank you again @blotus for the detail and all the help so far ❤️ ^_^