Tom Eastep a écrit : > Brian J. Murrell wrote: > >> On Fri, 2009-05-22 at 17:36 -0700, Tom Eastep wrote: >> >>> I'm assuming that reverse DNS lookup can also be used to identify this >>> ISP, right? >>> >> And could also allow anyone else to spoof themselves as being from said >> ISP. Personally, I would not trust an in-addr.arpa result in any way >> other than informative. >> > > It's hard to know which will be the most inaccurate; in-addr.arpa or a > large manually-maintained list of networks. As Brian points out, the > former is likely to be over-inclusive where the latter is almost > guaranteed to be under-inclusive most of the time. > > Probably the best way to represent the list of networks is to use a > 'nethash' ipset. Load the ipset (call it trusted) with the network > addresses, then change the rule to: > > FTP/ACCEPT net:+trusted,<the one trusted address> fw > > The ipset needs to be loaded at boot time -- you can use > /etc/shorewall/init to do that if you are careful to only create/load it > when it doesn't already exist. > > Of course the whole notion that users at a particular ISP are to be > trusted and the rest of the world is not to be trusted is extremely > questionable at the outset. > > -Tom > Hi
I'm trying to fight against credit card frauders. I discovered they use password sniffers to gain access to web servers to infect .html, .js, .php files. The server on which I want to do that has been compromised by these frauders. They downloaded all files in the FTP jail, modified them (by a script) and uploaded modified files to the FTP. Modified files try to redirect users on malicious webpages. So, my goal is to restrict the FTP access from my computer and from the server's owner... I have a static IP. The other has not. So I need to find a way to allow FTP for her. It was previously opened to anyone. So blocking most of people is less worst than before. (I know, FTP is unsecure, it's off topic) I think a firewall can provide me an easy way to reach a working start point. HTH. Jerome Blion ------------------------------------------------------------------------------ Register Now for Creativity and Technology (CaT), June 3rd, NYC. CaT is a gathering of tech-side developers & brand creativity professionals. Meet the minds behind Google Creative Lab, Visual Complexity, Processing, & iPhoneDevCamp asthey present alongside digital heavyweights like Barbarian Group, R/GA, & Big Spaceship. http://www.creativitycat.com _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
