Re: Blocking Netranges Based on IP-to-Country CSV

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I understand to permit connections only comming from 1-2 countryes for
reasons like cheap  and huge bandwith from your country but very
expensive and low bandwith from the rest of internet (I actually done
this, permitting only from Romania, check metropolitana.loginet.ro
with a workarround for eliminating huge numbers of iptables rules,
there are also romanian ips), but permitting everybody excepting some
countryes doesnt count for security reasons, kiddies/crackers use
compromised machines from all world to continue their "work".


On Mon, 20 Sep 2004 08:26:11 -0400, Chris Brenton
<cbrenton@xxxxxxxxxxxxxxxx> wrote:
> On Mon, 2004-09-20 at 08:06, Thomas Lußnig wrote:
> >
> > - Extereme overload for IP-tables since it need extreme large table of
> > ip lists
> 
> I beg to disagree. Most range blocking is done more on a region basis
> rather than by individual country (i.e. permit countries in Europe but
> maybe block Asia-Pacific). Given that IP ranges are delegated in large
> blocks (class A and B being the norm), it actually takes very few rules.
> For example I've had iptables firewalls pushing 400 Mb with region based
> filtering in place. Worked like a champ.
> 
> > - Is extreme faulty since IP's are not original assinged to country but
> > locations like Europe.
> 
> Agreed, so if you are trying to target a specific country, you may run
> into problems in areas like Europe. Blocking by region is less of an
> issue but you can still run into problems (like class A blocks in Asia
> that are also used in Australia, etc.).
> 
> > - How you wan't to do the next step someone say i not wan't to select
> > based on country bot wan't different web server
> >  for region's with different main language. ASIA -> UTF8/Chinese Europe
> > Latin1/Frensh,German,English America => Spain/english
> 
> Actually, I'm pretty sure you could do this today with Squid. ;-)
> 
> Obviously a portion of this is "intent". If its to reduce risk, its one
> thing. Banning based on color or creed is another. For example there are
> Spanish people all over the world so banning based on the language
> sounds like its more about discrimination rather than lowering risk.
> 
> HTH,
> Chris
> 
> 



-- 
Bla bla



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux