At 03:34 PM 1/4/2006, Sven Brill wrote:
these two networks (and about 20 others, some as far as /8) I have
identified a couple of months ago as "don't need it", either because one or
more hosts pestered my web server or, in the case of the chinese subnet,
were used for sshd brute force attacks. right now, I am blocking about 10
networks like this through 10 individual rules. I have seen, for example in
Mndrake MNF, a "configuration page" for such a blacklist, where the user
can simply add unwanted networks and the rules get automatically generated
and don't show up in the normal firewall rules page, simply for cosmetic
reasons - basically separate the config into two pages, "general sh*tlist
hosts/networks" and "relevant rules". Don't know how to describe it better,
the more I think about it, it is a cosmetic thing to keep the rules page
clean and manageable, while being able to keep unwanted IP blocks out - I
don't know anyone in China or Romania who would have an interest in my
little photoalbum on my webserver :)
This is where layered aliasing would be nice and helpful. I think I opened
a RFE on pfsense for this, but have since come back to m0n0wall.
The concept, used in firewalls like NetscreenOS, allows you to maintain an
"group" which is an alias for one or more networks or hosts. Then you use
that group name in the Firewall Rules page.
Such an RFE would be useful for many purposes, not just your case, but it
would be perfect for you. You would maintain your "group" alias on one
page, simple and sweet, and never change your firewall (you'd re-apply it
on changes, naturally, but that's easy enough).
Netscreen OS allows you to alias hosts and networks, and then add those
aliases as members of groups, and then allow groups or other aliases to be
used in firewall policy definitions. It's very nice, I have an alias for
"bad hosts" and use it just the way you describe.
w dot plein at gmail dot com