Isn't that what network documentation and maintenance scripts are for ;)
Actually you have a very good point but, particularly when people travel.
I would block all non US addresses but would turn the rules on and off by
country when executives travel (automated on and off dates were scheduled).
I never worried about maintaining much because it was never intended to be a
100% solution, so if I block 80% of the undesired systems it was 80% more
then I was blocking before. But then again, I never bothered at all until I
was getting so many requests from India & Ireland that my system could
barley keep up. Setting up the initial rule helped immensely. In addition
you should regularly revisit your methodologies and redetermine if it is
still valid. Just because you build a raft to get you across the river does
not mean you have to carry it around with you for the rest of your life.
For me I just replaced my Linux router with a combined CSU/DSU router
firewall appliance when the company moved to a new location that had
different connectivity needs. That and the new ISP provided flood controlee
and a good deal of blacklist controlee for me making the need for whole sale
blocking less valid.
-----Original Message-----
From:
plug-discuss-bounces@lists.plug.phoenix.az.us
[
mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] On Behalf Of Craig
White
Sent: Monday, March 30, 2009 9:01 AM
To: Main PLUG discussion list
Subject: Re: starting by iptable deny all of china is a good start. - Re:OT?
Linux-based trojans now targeting WRT and other linux-based routers
I'm gonna ignore most of the implications of this and just say one thing
that you're apparently not considering...
Once you implement a methodology, you then become committed to maintaining
the implementation and ip address ranges change, people go to China for
visiting, other people might have to troubleshoot your implementations, etc.
I try hard not to solve symptoms by implementing narrowly targeted solutions
but rather focus on the larger problems. I see a lot of smtp thuggery coming
from eastern Europe and South America, not just China. Postfix does a really
good job of bandwidth and pipeline limiting.
Craig
On Mon, 2009-03-30 at 11:45 -0400,
kitepilot@kitepilot.com wrote:
> Agree...
> But for as long as my people doesn't have friends in Asia, I may as well
> block them all... :)
> Enrique
>
>
>
> Craig White writes:
>
> > On Mon, 2009-03-30 at 08:30 -0400, kitepilot@kitepilot.com wrote:
> >> And how do I:
> >> "starting by iptable deny all of china" ?
> >>
> >> I can figure out the "iptable" part, it is the "china" part (and
> >> other possible places where I know I will only get spam from) that
> >> I am unaware of...
> > ----
> > I do not believe that this is constructive thinking. It's easy
> > enough for someone in China to use a computer somewhere else as a
> > base for operations and that security doesn't come from just
> > arbitrarily picking ranges of ip addresses to block. Security would
> > necessarily require effectiveness from virtually everywhere -
> > possibly even your own 'trusted' lan.
> >
> > Spam control on the other hand doesn't rely much on iptables at all
> > but rather many layers of implementation such as RBL's, greylisting
> > (optional but effective), spamassassin, smtp level restrictions and
> > more.
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss