[ previous ] [ next ] [ threads ]
 From:  w dot plein at gmail dot com
 To:  Sven Brill <madde at gmx dot net>, "James W. McKeand" <james at mckeand dot biz>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] filter blacklist
 Date:  Wed, 04 Jan 2006 15:49:42 -0800
At 03:34 PM 1/4/2006, Sven Brill wrote:
these two networks (and about 20 others, some as far as /8) I have 
identified a couple of months ago as "don't need it", either because one or 
more hosts pestered my web server or, in the case of the chinese subnet, 
were used for sshd brute force attacks. right now, I am blocking about 10 
networks like this through 10 individual rules. I have seen, for example in 
Mndrake MNF, a "configuration page" for such a blacklist, where the user 
can simply add unwanted networks and the rules get automatically generated 
and don't show up in the normal firewall rules page, simply for cosmetic 
reasons - basically separate the config into two pages, "general sh*tlist 
hosts/networks" and "relevant rules". Don't know how to describe it better, 
the more I think about it, it is a cosmetic thing to keep the rules page 
clean and manageable, while being able to keep unwanted IP blocks out - I 
don't know anyone in China or Romania who would have an interest in my 
little photoalbum on my webserver :)

This is where layered aliasing would be nice and helpful. I think I opened 
a RFE on pfsense for this, but have since come back to m0n0wall.

The concept, used in firewalls like NetscreenOS, allows you to maintain an 
"group" which is an alias for one or more networks or hosts. Then you use 
that group name in the Firewall Rules page.

Such an RFE would be useful for many purposes, not just your case, but it 
would be perfect for you. You would maintain your "group" alias on one 
page, simple and sweet, and never change your firewall (you'd re-apply it 
on changes, naturally, but that's easy enough).

Netscreen OS allows you to alias hosts and networks, and then add those 
aliases as members of groups, and then allow groups or other aliases to be 
used in firewall policy definitions. It's very nice, I have an alias for 
"bad hosts" and use it just the way you describe.

w dot plein at gmail dot com