On Sat, Apr 12, 2003 at 07:24:42PM +1200, Wayne McDougall wrote: > What I want to achieve is to filter based on a reverse name lookup on a source (and ideally destination) IP on initiating a connection. Doing this dynamically is going to get very hairy very quickly IMO. An alternative is to go via the whois info on the IP block an IP is in. A quick check on your own IP includes info about the APNIC (Asia/Pacific NIC) registry at http://www.apnic.net/db/, looking a little further on that page reveals: http://ftp.apnic.net/stats/apnic/ The latest file from there is: http://ftp.apnic.net/stats/apnic/apnic-2003-04-01 and the fields are explained at: ftp://ftp.apnic.net/pub/apnic/stats/apnic/_README-apnic-stats.txt It should be possible to use this information to create a list of IP blocks in CIDR notation that are assigned to NZ, and from that generate a list of rules for firewalling/traffic shaping. Of course when dealing with a great number of rules like this you should take the advice someone else offered which is to aggregate the blocks into chunks, with top-level rules distinguishing between the chunks jumping to chains that deal with smaller sub-chunks and so on down to chains containing a few actual IP blocks. This way you minimise the number of rules traversed for any given block. HTH, -Ath -- - Athanasius = Athanasius(at)miggy.org / http://www.miggy.org/ Finger athan(at)fysh.org for PGP key "And it's me who is my enemy. Me who beats me up. Me who makes the monsters. Me who strips my confidence." Paula Cole - ME
Attachment:
pgp00407.pgp
Description: PGP signature
