Brian J. Murrell wrote: > On Fri, 2009-05-22 at 17:36 -0700, Tom Eastep wrote: >> I'm assuming that reverse DNS lookup can also be used to identify this >> ISP, right? > > And could also allow anyone else to spoof themselves as being from said > ISP. Personally, I would not trust an in-addr.arpa result in any way > other than informative.
It's hard to know which will be the most inaccurate; in-addr.arpa or a large manually-maintained list of networks. As Brian points out, the former is likely to be over-inclusive where the latter is almost guaranteed to be under-inclusive most of the time. Probably the best way to represent the list of networks is to use a 'nethash' ipset. Load the ipset (call it trusted) with the network addresses, then change the rule to: FTP/ACCEPT net:+trusted,<the one trusted address> fw The ipset needs to be loaded at boot time -- you can use /etc/shorewall/init to do that if you are careful to only create/load it when it doesn't already exist. Of course the whole notion that users at a particular ISP are to be trusted and the rest of the world is not to be trusted is extremely questionable at the outset. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
