starting by iptable deny all of china is a good start. - Re: OT? Linux-based trojans now targeting WRT and other linux-based routers

[Craig White]

I'm gonna ignore most of the implications of this and just say one thing
that you're apparently not considering...

Once you implement a methodology, you then become committed to
maintaining the implementation and ip address ranges change, people go
to China for visiting, other people might have to troubleshoot your
implementations, etc. I try hard not to solve symptoms by implementing
narrowly targeted solutions but rather focus on the larger problems. I
see a lot of smtp thuggery coming from eastern Europe and South America,
not just China. Postfix does a really good job of bandwidth and pipeline
limiting.

Craig

On Mon, 2009-03-30 at 11:45 -0400, kitepilot at kitepilot.com wrote:
> Agree...
> But for as long as my people doesn't have friends in Asia, I may as well 
> block them all...   :)
> Enrique 
> 
>  
> 
> Craig White writes: 
> 
> > On Mon, 2009-03-30 at 08:30 -0400, kitepilot at kitepilot.com wrote:
> >> And how do I:
> >> "starting by iptable deny all of china" ?  
> >> 
> >> I can figure out the "iptable" part, it is the "china" part (and other 
> >> possible places where I know I will only get spam from) that I am unaware 
> >> of... 
> > ----
> > I do not believe that this is constructive thinking. It's easy enough
> > for someone in China to use a computer somewhere else as a base for
> > operations and that security doesn't come from just arbitrarily picking
> > ranges of ip addresses to block. Security would necessarily require
> > effectiveness from virtually everywhere - possibly even your own
> > 'trusted' lan. 
> > 
> > Spam control on the other hand doesn't rely much on iptables at all but
> > rather many layers of implementation such as RBL's, greylisting
> > (optional but effective), spamassassin, smtp level restrictions and
> > more.