[ previous ] [ next ] [ threads ]
 
 From:  Sven Brill <madde at gmx dot net>
 To:  "James W. McKeand" <james at mckeand dot biz>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] filter blacklist
 Date:  Wed, 04 Jan 2006 18:34:33 -0500
James W. McKeand wrote:

>Tim Vaughan wrote:
>  
>
>>Presumably, providing a simple way to edit /etc/hosts directly would
>>be sufficient?  I'd like to be able to paste a big list of ad/spyware
>>etc. servers into it.
>>    
>>
>
>
>  
>
>If you are talking about blocking IPs/subnets I don't have any good
>ideas.  Creating a list of aliases then crafting the firewall rules to
>block traffic to/from these aliases would be a severe burden on your
>m0n0wall and maintenance would be time consuming. Your list of rules
>could be quite long...
>
>
>  
>
yes, I am talking about IPs and subnets. here is a live example of my 
status.php:

@3 block in quick from 69.46.0.0/19 to any group 200
@4 block in quick from 218.84.0.0/14 to any group 200


these two networks (and about 20 others, some as far as /8) I have 
identified a couple of months ago as "don't need it", either because one 
or more hosts pestered my web server or, in the case of the chinese 
subnet, were used for sshd brute force attacks. right now, I am blocking 
about 10 networks like this through 10 individual rules. I have seen, 
for example in Mndrake MNF, a "configuration page" for such a blacklist, 
where the user can simply add unwanted networks and the rules get 
automatically generated and don't show up in the normal firewall rules 
page, simply for cosmetic reasons - basically separate the config into 
two pages, "general sh*tlist hosts/networks" and "relevant rules". Don't 
know how to describe it better, the more I think about it, it is a 
cosmetic thing to keep the rules page clean and manageable, while being 
able to keep unwanted IP blocks out - I don't know anyone in China or 
Romania who would have an interest in my little photoalbum on my 
webserver :)

You mentioned strain on the firewall, which is a valid point. Is there a 
way to quantify processor load for blocking entire subnets?

I might have some spare time coming up the next couple of weekends and 
start playing around with the VMWare image to see if I can whip up a 
page like that.

Thanks

Sven

>
>  
>