Re: [Shorewall-users] Defining large ranges

Sat, 23 May 2009 03:38:24 -0700 

Tom Eastep a écrit :
> Jérôme Blion wrote:
>   
>> Hello,
>>
>> I would like to drop all FTP traffic from Internet to one server, except 
>> from:
>>  - my fixed IP
>>  - an ISP which I will consider as "acceptable"
>>
>> Actually, my rules file mentions:
>> FTP/ACCEPT      net                     fw
>>
>> The ISP I want to allow has several IP ranges:
>>
>> 195.132.0.0-195.132.255.255
>> [... cut a dozen of IP ranges here ...]
>> 89.2.0.0-89.3.255.255
>>
>> (I got them from the RIPE database)
>>
>> I would like to know if this way to work is good:
>>  - define the zone "nc" in zones files
>>  - define IP ranges related to this zone in hosts file
>>  - use the zone in my rules file.
>>
>> Is it the correct way to work ?
>>     
>
> In my view, any scheme that uses a packet filter like
> Shorewall/Netfilter to filter by ISP is wrong. Run an FTP server built
> with tcpwrappers (or run it under inetd) and use two entries in
> /etc/hosts.allow (or in the inetd config) to select the allowed hosts.
> I'm assuming that reverse DNS lookup can also be used to identify this
> ISP, right?
>
> -Tom
>   
Hello,

AFAIK, I think that "*.rev.numericable.fr" should match them.
I ran a test... With /etc/hosts.deny : ALL: ALL and an empty 
/etc/hosts.allow, I've got:

    serveur:~# nmap <thehostname> -P0 -p21

    Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-23 11:41 CEST
    Interesting ports on <thehostname> (<theIPaddress>):
    PORT   STATE SERVICE
    21/tcp open  ftp

    Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
    serveur:~# ftp <thehostname>
    Connected to <thehostname>.
    421 Service not available, remote server has closed connection

I will look at the inetd documentation to have something that fits my needs.

Thanks for your answer :-)
Jerome Blion.

------------------------------------------------------------------------------
Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT
is a gathering of tech-side developers & brand creativity professionals. Meet
the minds behind Google Creative Lab, Visual Complexity, Processing, & 
iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian
Group, R/GA, & Big Spaceship. http://www.creativitycat.com 
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to