The question I had was is this better implemented in iptables (my preference is there) or in the proxy?
In the normal realm of dealing with people who desire to block most or all countries from accessing their system to limit exposure. I compiled a CIDR list (no space, separated by commas) of all countries excpet USA and saw that it is around 130,000 characters in length (83k CIDR entries). So the question begs "what would be the proxy impact of this"? Since it might be easier to implement as a blacklist in the proxy I found it impractical to use because of the 1000 character limit imposed. So if we send this to the proxy as a blacklist, I wonder about performance. I have an iptables script that can be run to block this via iptables, but it takes at least 10 minutes to turn it on and make it add each country zone by script.I am thinking a plugin might be more elegant and am looking at cfengine as well. I just need to see how I can marry the script to run via a cron job to auto update the zone files and use the iptables argument within cfengine. Ideally we could extend this to sipxconfig and have it manage a script and allow the admin the check the countries to be blocked. It really makes it simpler to deploy in a virtual center somewhere this way, which is where everyone is headed. On Fri, Aug 17, 2012 at 8:30 AM, Joegen Baclor <[email protected]> wrote: > If a firewall can do it without winking, I don't see why we cant. The > only difference is that a firewall filter is kernel level while we will be > doing it in the application layer. Why can't we simply upload the CSV and > update the input chains? > > > On 08/17/2012 10:33 AM, Tony Graziano wrote: > > Joegen, any ideas on this? If the acl was uploaded via CSV and contained > 20-25k entries... > > (Equivalent of restrictive country block on proxy blacklist) > > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: [email protected] > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~ > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab > 2013! > On Aug 16, 2012 5:37 PM, "George Niculae" <[email protected]> wrote: > >> On Thu, Aug 16, 2012 at 11:35 PM, Tony Graziano < >> [email protected]> wrote: >> >>> Sounds like maybe a plugin would be a better approach then? >>> >>> >> We could make proxy to read directly from the uploaded CSV file as you >> previously suggested (so config won't even parse / store data, just a >> pointer to the file), Joegen could provide insights about proxy performance >> for this scenario >> >> George >> >> _______________________________________________ >> sipx-dev mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-dev/ >> > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: [email protected].**net<[email protected]> > > Helpdesk Customers: > http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net> > Blog: http://blog.myitdepartment.net > > > _______________________________________________ > sipx-dev mailing [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-dev/ > > > -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013> -- LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net
_______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev/
