yeah ... I aready did that :) but since you were asking for suggestions ...
Regards, Ovidiu Sas On 2/14/07, Bogdan-Andrei Iancu <[EMAIL PROTECTED]> wrote:
Hi Ovidiu, yes, it will help, I agree, but you could just disable it : http://openser.org/dokuwiki/doku.php/core-cookbook:devel#disable_dns_blacklist Regards, Bogdan Ovidiu Sas wrote: > Hi Bogdan, > > Maybe a fifo command for removing a dns blacklist will help ... > Right now, if I don't want to wait 4 min., I need to restart the > server if I want to get rid of a dns blacklist. > > > Regards, > Ovidiu Sas > > On 1/30/07, Bogdan-Andrei Iancu <[EMAIL PROTECTED]> wrote: >> Hi everybody, >> >> OpenSER 1.2.0 has new feature - IP Blacklist support. This is a low >> level filtering engine for the outgoing requests; low level, because the >> filtering is done based on IP, protocol, port, etc. >> Its primary purposes will be to prevent sending requests to critical IPs >> (like GWs) due DNS or to avoid sending to destinations that are known to >> be unavailable (temporary or permanent). >> >> Because of flexibility concerns, the filtering rules can be groups >> inside multiple lists. >> >> A rule: >> - matches based on IP/mask, proto, port and text pattern criteria >> - can be reversed applied >> >> A list: >> - can be read-only - it does not change during execution >> - have timeout per elements - elements expires after a configured >> timeout. >> >> >> How to use: >> =========== >> >> currently there are 2 ways of using the blacklists: >> >> 1) statically defining list in the configuration file and selecting >> which ones should be used for each request. >> >> You can define blacklists as follow: >> # filter out requests going to ips of my gws >> dst_blacklist = gw:{( tcp , 192.168.2.100 , 5060 , "" ),( any , >> 192.168.2.101 , 0 , "" )} >> # block requests going to "evil" networks >> dst_blacklist = net_filter:{ ( any , 192.168.1.100/255.255.255.0 , 0 >> , "" )} >> # block message requests with nasty words >> dst_blacklist = msg_filter:{ ( any , 192.168.20.0/255.255.255.0 , 0 >> , "MESSAGE*ugly_word" )} >> # block requests not going to a specific subnet >> dst_blacklist = net_filter2:{ !( any , 192.168.30.0/255.255.255.0 , >> 0 , "" )} >> >> a rule is defined by: >> protocol : TCP, UDP, TLS or "any" for anything >> port : number or 0 for any >> ip/mask >> test patter - is a filename like matching (see "man 3 fnmatch") >> applied on the outgoing request buffer (first_line+hdrs+body) >> >> From routing script, you can use the use_blacklist("name") function to >> select what blacklist to be applied for the current request. More than >> one list can be selected. >> >> If the destination address matches on of the selected rules, the send >> will fail. >> >> >> 2) via DNS >> >> The DNS resolver, when configured with failover, can automatically store >> in a temporary blacklist the failed destinations. This will prevent (for >> a limited period of time) openser to send requests to destination known >> as failed. >> So, the blacklist can be used as a memory for the DNS resolver. >> >> To use it, you have to enabled it - the rest is done automatically. >> disable_dns_blacklist = no >> >> By default is enabled. The temporary blacklist created by DNS resolver >> is named "dns" and it is by default selected for usage (no need use the >> use_blacklist() function. The rules from this list have a life time of 4 >> minutes - you can change it at compile time, from blacklists.h . >> >> >> >> To give you an internal snapshot, a new MI function - "list_blacklists" >> - was added to print all existent blacklists and their rules. >> >> >> Any suggestions/reports are welcome! >> >> regards, >> bogdan >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://openser.org/cgi-bin/mailman/listinfo/users >> >
_______________________________________________ Users mailing list [email protected] http://openser.org/cgi-bin/mailman/listinfo/users
