Darren
Why so quick to throw out DNS? It seems to me that DNS has much more
accurate information and that can be obtained from local servers rather than
having to rely on an external server.
Terry
----- Original Message -----
From: "Darren Reed" <[EMAIL PROTECTED]>
To: "IP Filter" <[email protected]>
Sent: Monday, December 08, 2008 5:48 AM
Subject: Using WHOIS information in filter rules
The other day, someone asked me:
"How do I block all the packets to/from Microsoft?"
They wanted to block *.microsoft.com as well as *.microsoft.cn, etc.
Not just www.microsoft.com.
I thought about it for a second, realising that DNS was not the answer
but perhaps WHOIS is.
But how to tie it all together...
Somehow it should fit in with ippool, that much is obvious.
But the bigger question is, should ippool connect to the WHOIS
server itself or should it load it from a file and some other
mechanism puts the information in the file. While I was tending
towards the former at first, that seems not very useful because:
1) adds an arbitrary delay to the loading of ipf data
2) if the WHOIS data can't be downloaded, it might be a
transient failure that can't easily be delt with
at the time of loading rules and could result in
a suboptimal firewall configuration
The only caveat is:
1) someone or something needs to remember to refresh the
local cache of WHOIS information
What would the configuration look like?
Something like this if it was direct from a server:
pool ipf/in tree (name microsoft;) { whois server ws.arin.net name
microsoft; };
Or
pool ipf/in tree (name microsoft;) { whois file
/etc/ipf/microsoft.whois; };
And then in ipf.conf:
block in quick from microsoft/pool to any
Thoughts?
Darren
