On 2015.01.22 12.18, wie...@porcupine.org (Wietse Venema) wrote:
Wietse:
In the CIDR table, specify netblocks as follows:
192.168.1.1 dunno
192.168.1.0/24 reject
I.e. specify the good clients before the bad ones. Instead of
"dunno" specify "permit" if you are certain that the host is not
a bot.
btb:
right. we do that now. taking advantage of whitelist negative
scoring to reduce some of the administrative burden would be nice
though, and also avoid the "fix it after finding out it's broken"
scenario.
Instead of postscreen_access_list, you could use rbldnsd (or
equivalent) to mix local blacklists with remote whitelists.
I am not ready to give postscreen_access_list control over other
tests (if postscreen_access_list must be able to control dnsbl,
then it must also be able to control pregreet and so on). Nor am I
ready to make every postscreen feature a DNSBL-like score.
thanks, this makes sense. we'll use a local dnsbl. additionally, this
will fit in well with my earlier question about cidr:/ lookup using a
network map.
-ben
