On 15 Oct 2003, Jason Dixon wrote: > On Wed, 2003-10-15 at 16:47, lrnobs wrote: > > > You could instead say... > > > I don't like cars that are not Blue. > > > > > > In other words, exclude all traffic that is not from America instead of > > > the other way around. > > > > Does anyone know of a way to do this? Are the IP ranges assigned to > > American networks published somewhere? It's easier to go the reverse route, exclude some known foreign networks. See http://www.iana.org/assignments/ipv4-address-space My strategy was to block RIPE, APNIC and LACNIC, as those networks I KNOW have no business talking to my servers via ssh (for example). The list is fairly small once input in iptables, performance is a non issue. > This type of information could probably be gathered via NANOG or the > ICANN site. However, if I haven't stressed it enough already, I highly > suggest you avoid this route. IT WILL NOT WORK like you intend. > Remember, IP addresses are easily spoofed. I disagree. You're correct, this is no defense against spoofing, but it certainly does raise the bar for potential attackers. And for the cost of setting it up, the payoff is more than enough. Blocking these IP ranges is certainly no replacement for good practices (patching, thoughtful configuration, etc.). $.02 Bill Carlson -- Systems Administrator wcarlson@xxxxxx | Anything is possible, Virtual Hospital http://www.vh.org/ | given time and money. University of Iowa Hospitals and Clinics | Opinions are mine, not my employer's. | -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list