Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Mar 2000 12:40:41 -0800 (PST)
From:      "Eric J. Schwertfeger" <ejs@bfd.com>
To:        bwoods2@uswest.net
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: IPFW...1 more question.....
Message-ID:  <Pine.BSF.4.10.10003161219230.14354-100000@harlie.bfd.com>
In-Reply-To: <XFMail.000316121231.wwoods@cybcon.com>

next in thread | previous in thread | raw e-mail | index | archive | help

On Thu, 16 Mar 2000, William Woods wrote:

> So, I would need to ping each .com in my ipfw rules and put their
> xxx.xxx.xxx.xxx/24 in the rule? If this what I understand you saying?

Assuming that all netblocks are class C networks (/24's) is not right.
For example, both of the addresses that aol.com resolves to are in the
same class B (/16) network, and it looks like Aol owns the entire B
network, as well as the 152.163/16 class B.  There may well be others that
I don't know about, and that is what complicates what you're trying to do.

I need to clarify what you're trying to do before I can really answer
that.  I think that you're trying to block *.aol.com from all network
services that this machine provides.

If so, then there are three ways to do that.  The first is to find out
what all of aol's netblocks are (It is unlikely that the two class B
netblocks listed above are all they control) and add each one as an ipfw 
rule. I wouldn't know just how to look up this information, but if you
check with spam-related newsgroups/mailing lists, there will certainly be
people that have already dug up that information, or at least most of it.

The second method, which might not work depending on what you're trying to
do, is to block each program from talking to *.aol.com.  This is fairly
simple with both Apache and sendmail.  You could probably expand on this
to other programs using tcp wrappers, which I'm pretty sure will let you
block connections based on domain names rather than IP addresses.

The last method is trickier, and involves programming, but does not
require knowing every Aol netblock or configuring every server to ignore
Aol. You'd have to write a daemon that would do a reverse lookup on the
source address of the packet (destination as well, if you're trying to
keep this machine from talking to any part of Aol), and drop any packets
that resolve to *.aol.com.  You'd then use the divert option of IPFW to
push packets through this filter.  It would be best to only push
unestablished connections through this for tcp, and you couldn't put DNS
packets through this filter regardless, unless you whitelist the addresses
of your DNS server(s).



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10003161219230.14354-100000>