On 08/03/10 18:56, Jason Garrett wrote:
Much better, restrict the client access to certain ranges of IPs. The
different registries publish ip ranges assigned per country and you can
create a list blocking countries you are certain not to visit, you can use
my script:
http://www.locolomo.org/pub/src/toolbox/inet.pl
Great script! Just one question. Where do you put the list of denied ip
ranges?
The output is written to be used with packet filter, if you use some
other firewall you may need edit the script. If you use packet filter,
then you can dump the list into a file and create tables like this:
table <blacklist> persist file "/etc/blacklist"
block in quick from <blacklist>
I use blacklisting for mail while I use whitelisting for ssh.
You should know the limits of the script, the problem is that some
ranges have been assigned directly by IANA, particularly for US. These
are not included. The list is limited as these are all /8 chunks, you
can find it here:
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
These ranges are managed by private organisations and assigned as they
see fit.
There is another thing I'd like to filter by: I'd like to eliminate
dynamic ranges, particularly for mail. It's been recommended that
reverse lookup resolves to something like dyn.example.com or
dynamic.example.com, but there is no registry where you can simply look
it up.
BR, Erik
--
Erik Nørgaard
Ph: +34.666334818/+34.915211157 http://www.locolomo.org
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
