Date: Thu, 17 Jun 2010 19:46:57 -0700 From: Chris <eagletree@hughes.net> To: Valerian Galeru <valerian_ro@yahoo.com> Cc: FreeBSD-Questions Questions <freebsd-questions@freebsd.org> Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all IPs of an A-like HOSTNAME) Message-ID: <5E6397FC-C521-45BA-B171-3857C39CE3BA@hughes.net> In-Reply-To: <377948.61150.qm@web30701.mail.mud.yahoo.com> References: <377948.61150.qm@web30701.mail.mud.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 17, 2010, at 1:56 PM, Valerian Galeru wrote: > Ok, very simple put: > > To do this without shell scripting, but this could avoid filter > future IP addresses: > 1. DIG HOSTNAMEs and add ipfw block rules for those IPs > 2. DIG HOSTNAMEs and add a null rule > > To block all *.hostname and future IP addresses of any of > *.hostname, there must be written a shell script, that analyzes all > requests [have no idea how to execute a shell script LIVE!!!, any > idea on this topic?]. > Scripting it is not that hard, but most security advisors seem to recommend against it since a smart attacker could use such a thing against you. If you know the hostname and ip, there is no reason to script it, if you don't, then you will have the script making decisions and it's possible those decisions could be leveraged to make you block the wrong thing. In spite of warnings, I did it during the bot attacks in 2006 and it really saved us. With care, it's a great solution. I'm not sure why you would do this if you know the hostname? I am missing something there, maybe the question of how you come to know that this host should be blocked. If it's content, then here is another approach. If you know the content that makes "*.hostname" be a bad actor, snort_inline is designed for that. You run it on a socket at startup and divert within ipfw, any traffic you want checked. You create a snort rule to do so and drop the session if it matches. Again, your drop rules need to be well designed, so it has some of the same earmarks as the scripted solutions. It does work though if you can identify a unique signature for what *.hostname (and then *.hostname2, *.hostname3 etc) is doing that they should be blocked. It handles some pretty hefty traffic too though I run it on a machine in front of the net that only does ipfw/bridging and snort_inline. It was pretty easy to set up too. With this, I'm not suggesting a hostname lookup but to drop sessions from hostname based on whatever the criteria is that you use to know that it should be blocked. > --- On Thu, 6/17/10, Bernt Hansson <bernt@bah.homeip.net> wrote: > > From: Bernt Hansson <bernt@bah.homeip.net> > Subject: Re: FreeBSD router (IPFW-based): how to block an URL (all > IPs of an A-like HOSTNAME) > To: "Valerian Galeru" <valerian_ro@yahoo.com> > Cc: freebsd-questions@freebsd.org > Date: Thursday, June 17, 2010, 11:47 PM > > Valerian Galeru said the following on 2010-06-17 22:01: >> Hello, >> >> Does anyone have any ideas how to block all requests using an IPFW- >> based router >> (FreeBSD 6.4) to and from a HOSTNAME (which has more DNS A entries) >> or better, from any *.HOSTNAME.COM ???? > > Do a whois hostname.com taking note of their ip-address range. Then, > for ipf, put this in your rules file. > > ### EXAMPLE ### > > block in quick on fxp0 from 192.168.0.0/16 to any > block out quick on fxp0 from any to 192.168.0.0/16 > > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org > " >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5E6397FC-C521-45BA-B171-3857C39CE3BA>