On Jun 17, 2010, at 1:56 PM, Valerian Galeru wrote:
Ok, very simple put:
To do this without shell scripting, but this could avoid filter
future IP addresses:
1. DIG HOSTNAMEs and add ipfw block rules for those IPs
2. DIG HOSTNAMEs and add a null rule
To block all *.hostname and future IP addresses of any of
*.hostname, there must be written a shell script, that analyzes all
requests [have no idea how to execute a shell script LIVE!!!, any
idea on this topic?].
Scripting it is not that hard, but most security advisors seem to
recommend against it since a smart attacker could use such a
thing against you. If you know the hostname and ip, there is no
reason to script it, if you don't, then you will have the script making
decisions and it's possible those decisions could be leveraged to
make you block the wrong thing. In spite of warnings, I did it
during the bot attacks in 2006 and it really saved us. With care,
it's a great solution. I'm not sure why you would do this if you
know the hostname? I am missing something there, maybe the
question of how you come to know that this host should be blocked.
If it's content, then here is another approach.
If you know the content that makes "*.hostname" be a bad
actor, snort_inline is designed for that. You run it on a socket
at startup and divert within ipfw, any traffic you want checked.
You create a snort rule to do so and drop the session if it
matches. Again, your drop rules need to be well designed, so it
has some of the same earmarks as the scripted solutions.
It does work though if you can identify a unique signature for
what *.hostname (and then *.hostname2, *.hostname3 etc)
is doing that they should be blocked. It handles some pretty
hefty traffic too though I run it on a machine in front of the
net that only does ipfw/bridging and snort_inline. It was
pretty easy to set up too. With this, I'm not suggesting a
hostname lookup but to drop sessions from hostname
based on whatever the criteria is that you use to know
that it should be blocked.
--- On Thu, 6/17/10, Bernt Hansson <[email protected]> wrote:
From: Bernt Hansson <[email protected]>
Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all
IPs of an A-like HOSTNAME)
To: "Valerian Galeru" <[email protected]>
Cc: [email protected]
Date: Thursday, June 17, 2010, 11:47 PM
Valerian Galeru said the following on 2010-06-17 22:01:
Hello,
Does anyone have any ideas how to block all requests using an IPFW-
based router
(FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries)
or better, from any *.HOSTNAME.COM ????
Do a whois hostname.com taking note of their ip-address range. Then,
for ipf, put this in your rules file.
### EXAMPLE ###
block in quick on fxp0 from 192.168.0.0/16 to any
block out quick on fxp0 from any to 192.168.0.0/16
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]
"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[email protected]"
