From owner-freebsd-questions Thu Mar 16 12:41: 5 2000 Delivered-To: freebsd-questions@freebsd.org Received: from horst.bfd.com (horst.bfd.com [12.9.219.10]) by hub.freebsd.org (Postfix) with ESMTP id 9DE8037C1ED for ; Thu, 16 Mar 2000 12:40:42 -0800 (PST) (envelope-from ejs@bfd.com) Received: from HARLIE.bfd.com (bastion.bfd.com [12.9.219.14]) by horst.bfd.com (8.10.0/8.10.0) with ESMTP id e2GKefv72887; Thu, 16 Mar 2000 12:40:41 -0800 (PST) Date: Thu, 16 Mar 2000 12:40:41 -0800 (PST) From: "Eric J. Schwertfeger" To: bwoods2@uswest.net Cc: freebsd-questions@FreeBSD.ORG Subject: Re: IPFW...1 more question..... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 16 Mar 2000, William Woods wrote: > So, I would need to ping each .com in my ipfw rules and put their > xxx.xxx.xxx.xxx/24 in the rule? If this what I understand you saying? Assuming that all netblocks are class C networks (/24's) is not right. For example, both of the addresses that aol.com resolves to are in the same class B (/16) network, and it looks like Aol owns the entire B network, as well as the 152.163/16 class B. There may well be others that I don't know about, and that is what complicates what you're trying to do. I need to clarify what you're trying to do before I can really answer that. I think that you're trying to block *.aol.com from all network services that this machine provides. If so, then there are three ways to do that. The first is to find out what all of aol's netblocks are (It is unlikely that the two class B netblocks listed above are all they control) and add each one as an ipfw rule. I wouldn't know just how to look up this information, but if you check with spam-related newsgroups/mailing lists, there will certainly be people that have already dug up that information, or at least most of it. The second method, which might not work depending on what you're trying to do, is to block each program from talking to *.aol.com. This is fairly simple with both Apache and sendmail. You could probably expand on this to other programs using tcp wrappers, which I'm pretty sure will let you block connections based on domain names rather than IP addresses. The last method is trickier, and involves programming, but does not require knowing every Aol netblock or configuring every server to ignore Aol. You'd have to write a daemon that would do a reverse lookup on the source address of the packet (destination as well, if you're trying to keep this machine from talking to any part of Aol), and drop any packets that resolve to *.aol.com. You'd then use the divert option of IPFW to push packets through this filter. It would be best to only push unestablished connections through this for tcp, and you couldn't put DNS packets through this filter regardless, unless you whitelist the addresses of your DNS server(s). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message