Jérôme Blion wrote: > Hello, > > I would like to drop all FTP traffic from Internet to one server, except > from: > - my fixed IP > - an ISP which I will consider as "acceptable" > > Actually, my rules file mentions: > FTP/ACCEPT net fw > > The ISP I want to allow has several IP ranges: > > 195.132.0.0-195.132.255.255 > [... cut a dozen of IP ranges here ...] > 89.2.0.0-89.3.255.255 > > (I got them from the RIPE database) > > I would like to know if this way to work is good: > - define the zone "nc" in zones files > - define IP ranges related to this zone in hosts file > - use the zone in my rules file. > > Is it the correct way to work ?
In my view, any scheme that uses a packet filter like Shorewall/Netfilter to filter by ISP is wrong. Run an FTP server built with tcpwrappers (or run it under inetd) and use two entries in /etc/hosts.allow (or in the inetd config) to select the allowed hosts. I'm assuming that reverse DNS lookup can also be used to identify this ISP, right? -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
