Re: [pfSense Support] blocking spammers xml

[Glenn Kelley]

I hate when I hit the wrong hot key to fast.
This http://countries.nerd.dk/isolist.txt  has an entire list as well.
Here is my thougth - wondering if you could help

I am thinking of a few addons -

here is the first one.

An addon that queries http://countries.nerd.dk/isolist.txt  - or even  
a mirror we setup (perhaps on pfsense or our our servers here - we  
host a number of mirrors including the North American TER for typo3)
this would import the country changes when someone wants to do it  
(manually or on cron - or schedule)

Then - people could dynamically build aliases much easier this way.

They could pull in say an entire list of countries or just one country  
and then use those to build rules against.

Now - i might need help to clean this idea up.
Once we have it hashed out - I would be willing to pay $100 towards a  
bounty to get this done...

I dont want to post the bounty on the forums till I have the wording  
just right...

Glenn




On Sep 23, 2008, at 11:13 AM, Glenn Kelley wrote:

I would love to pull in all that fun stuff from this nice tool

http://blacklist.linuxadmin.org/

Of course that makes the iptables ruleset.

I am very interested in how we could do this easily for the entire  
community
Wish I knew code better - write a little script to create all of  
these.


:-)
On Sep 23, 2008, at 10:47 AM, Derrick Conner wrote:

 Darn good idea!   I'm going to set that up right now.   Thanks!
Don't know why this didn't come to me.

Derrick

-----Original Message-----
From: Glenn Kelley [mailto:[EMAIL PROTECTED]
Sent: Monday, September 22, 2008 11:21 PM
To: support@pfsense.com
Subject: Re: [pfSense Support] blocking spammers xml

I did these a little different...
in XML I added

in filters section
<filters>


        <rule>
                        <type>block</type>
                        <interface>wan</interface>
                        <max-src-nodes/>
                        <max-src-states/>
                        <statetimeout/>
                        <statetype>keep state</statetype>
                        <os></os>
                        <protocol>tcp/udp</protocol>
                        <source>
                                <address>spammers</address>
                        </source>
                        <destination>
                                <any/>
                                <port>25</port>
                        </destination>
                        <descr>spammers</descr>
                </rule>


</filters>

then below the rules / filters section



        <aliases>
                <alias>
                        <name>spammers</name>
                        <address>66.0.0.0/8 66.0.0.0/8 78.0.0.0/8
79.0.0.0/8 80.0.0.0/8
81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8
87.0.0.0/8 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8
93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 116.0.0.0/8 121.0.0.0/8 122.0.0.0/8
123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 194.0.0.0/8 195.0.0.0/8
200.0.0.0/8 201.0.0.0/8 202.0.0.0/8 203.0.0.0/8 210.0.0.0/8
190.0.0.0/8</address>
                        <descr>SMTP Block Known Spam Networks</descr>
                        <type>network</type>
                        <detail>smtp block spam Canada||smtp block Spam
Canada||smtp block
Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam  
Amsterdam||
smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam
Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp
block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam
Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp
block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam
Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp
block Spam Asia||smtp block Spam Amsterdam||smtp block Spam  
Amsterdam||
smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp block Spam
Amsterdam||smtp block Spam Amsterdam||smtp block Spam Amsterdam||smtp
block Spam Mexico||smtp block Spam Mexico||smtp block Spam Mexico||
smtp block Spam Mexico||smtp block Spam Mexico||smtp block Spam
Mexico||</detail>
                </alias>
        </aliases>


Seems to work well.

On Sep 22, 2008, at 9:25 PM, Derrick Conner wrote:

I've attached my cleaned up XML of all the subnets I block.   Feel
free to post it, or whatever you want to do with it.  I would have
sent
it to Joe Laffey, but I think my spam filter got him.


Derrick

-----Original Message-----
From: Glenn Kelley [mailto:[EMAIL PROTECTED]
Sent: Monday, September 22, 2008 10:43 AM
To: support@pfsense.com
Subject: Re: [pfSense Support] blockign china

I would need to know perl .

I have given my wife a few of those in the past....
hmmm

going to her jewlery box

all kidding aside - i think your right.

I will see what I can come up w/ - i think this might help the  
pfsense
community @ large.
In fact - it seems simple enough - it might make a very simple pkg

just a thought -

I think if it were a pkg - it could then parse those lists every  
month
or so - cron job 1 time per month
and then reinject the changes

This way it stays up to date...

I would say 95% of the hacking attempts we are seeing in our
datacenter are all out of China and Korea -
the last 5 % would be say 4% from Russia and 1% from script  
kiddies in
the US

Then again 99.256% of all statistics are made up 98.721% of the time

I know my #'s are close however

Glenn


On Sep 22, 2008, at 10:08 AM, Joe Laffey wrote:

On Mon, 22 Sep 2008, Glenn Kelley wrote:

Thanks Joe -

I saw that...

My concern was typing all of those into the system one by one by
one...

Its okay if I gotta do it :-)
My hope was that someone already has - and that they could put out
that part of their xml file - so the community could all benefit.


I would think you could write a perl script to convert those into a
segment of XML that you could then paste into a saved config. Then
reload that config.



--
Joe Laffey                |       Visual Effects for Film and Video
LAFFEY Computer Imaging   |      
-------------------------------------
St. Louis, MO             |       Show Reel http://LAFFEY.tv/? 
e11861
USA                       |      
-------------------------------------
.                         |        -*- Digital Fusion Plugins -*-


------------------------------------------------------------------------
--

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

<Big
Spammers
.zip
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]