David Kramer <[EMAIL PROTECTED]> wrote:
>
> I would like to to start putting in firewall rules to block ANYTHING
> from certain domain names.
What sounds simple on the surface is often not-so-simple underneath.
> For instance, I'll often get hit from (something).sp.mandic.com.br,
> but there doesn't seem to be a contiguous IP range.
What do you mean by "get hit"?
> I think I figured out that I need
> ipfwadm -I -a deny -S mandic.com.br
> to do that. will that block (something).sp.mandic.com.br?
No. The IP forwarding rules work on just that: IP addresses. They
know nothing about domain names. In fact, there is never a direct way
to translate between a domain name and an IP address. For every IP
address, you must perform a DNS reverse-lookup in order to find out what
name (if any!) is associated with an IP address. This is complicated by
the fact that there can be more than one name that maps to an IP
address, and there is not necessarily a reverse-mapping from the IP
address back to a name, plus the fact that DNS services can be slow, or
unavailable at times, and you certainly don't want your kernel to BLOCK
and WAIT for the name server to answer and tell you whether you should
drop or forward this packet that just came in...
Anyway, what you want to do is lookup these various hosts, and either
block their specific IP's, or block the subnet(s) on which they exist.
You could probably use the nslookup command "ls" to get a listing of the
domain, as I've done here:
% nslookup
Default Server: zero.foxtaur.com
Address: 192.0.2.5
> set type=ns
> sp.mandic.com.br.
Server: zero.foxtaur.com
Address: 192.0.2.5
sp.mandic.com.br nameserver = gandalf.mandic.com.br
sp.mandic.com.br nameserver = merlim.mandic.com.br
sp.mandic.com.br nameserver = oz.mandic.com.br
sp.mandic.com.br nameserver = hermes.mandic.com.br
gandalf.mandic.com.br internet address = 200.246.227.152
merlim.mandic.com.br internet address = 200.246.227.35
oz.mandic.com.br internet address = 200.246.125.3
hermes.mandic.com.br internet address = 200.246.125.5
> server gandalf.mandic.com.br
Default Server: gandalf.mandic.com.br
Address: 200.246.227.152
> ls mandic.com.br.
[gandalf.mandic.com.br]
[... lots and lots of hostnames and IP addresses...]
So then you can go through this list and either group them into subnets
for blocking, or just make a specific rule for hosts that you know you
don't want to hear from.
> Also, how would I check it? I've been trying variants of
> ipfwadm -I -c -S (ip address) -W eth0
> but whatever I try, I get one error message or another.
I have never used the -c option to ipfwadm, but from what I read on the
subject, it seems that you must be very specific when you give it the
parameters. That is, you can't just ask "What if a packet had this
source address?" You must give a specific question, like "What if this
packet had this source address, this source port, that destination
address, that port, was protocol UDP, and came in on this interface?"
Essentially, specify every option that there is.
ipfwadm -I -c -S 192.0.2.5 1234 -D 192.168.1.45 23 -P tcp -W eth0
--
[EMAIL PROTECTED] (Fuzzy Fox) || "Nothing takes the taste out of peanut
sometimes known as David DeSimone || butter quite like unrequited love."
http://www.dallas.net/~fox/ || -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]
