When the crowdsec_blacklists gets updated - does is trigger a fw reload?

[nzkiwi68]

I'm really liking the crowdsec system. I just had a few questions that I thought of.

ONE
How often do the crowdsec_blacklists get updated? I'm seeing these updates in my logs:
I take it that it updates when triggered from the cloud end.

Code Select Expand

160 crowdsecurity/community-blocklist update : +8881/-0 IPs ban:8881
11 hours ago
159 crowdsecurity/community-blocklist update : +8897/-0 IPs ban:143
13 hours ago
158 crowdsecurity/community-blocklist update : +8924/-0 IPs
15 hours ago
157 crowdsecurity/community-blocklist update : +8917/-0 IPs ban:261
18 hours ago
156 crowdsecurity/community-blocklist update : +8777/-0 IPs ban:1232
2 days ago
155 crowdsecurity/community-blocklist update : +8791/-0 IPs ban:67
2 days ago

TWO
Now the big question. When crowdsec does update the blocklist, does this trigger a firewall filter reload? If it doesn't then obviously you don't get any updated benefit from your floating firewall block rule.

[mmetc]

Hello nzkiwi68!

The blocklist "community" updates come from the cloud service, yes. Then there are local attacks which are detected, flagged and banned in real time (depending on the rules of the scenario, a community decision may not be required to trigger a ban). The crowdsec daemon receives and writes the list of IPs to the local database (see "cscli decisions list -a")

There is no need to reload the filter service since there are a couple of dynamic PF tables (for ipv4 and ipv6) which are updated by the crowdsec-firewall-bouncer daemon.

[nzkiwi68]

Thanks very much for explanation.

I do notice that the alias for the blocklist "CrowdSec (IPv4)" is type External (Advanced) so I was wondering if that meant no reload was necessary.

Thanks.