Date: Sun, 11 Jun 2006 12:01:00 -0400 (EDT) From: John L <johnl@iecc.com> To: freebsd-questions@freebsd.org Subject: Re: Deny large number of IPs via ipfw (fwd) Message-ID: <20060611112542.J59518@simone.iecc.com>
next in thread | raw e-mail | index | archive | help
>Using such an list of ip address from a major rbl is flawed at the >core of the idea. Over 85% of those 3 million ip address are spoofed >in the first place. Most are what would be called false positives. Actually there are almost no false positives in the CBL. The three million addresses on the CBL really are all IP addresses that have recently sent spam. (I know the people who run it and I know how they get the addresses.) But I agree that it is a poor idea to try to use it in your router, if for no other reason than that the CBL is updated every few minutes, and by the time you stuffed it into your ip tables, it'd be out of date. The CBL works great for mail servers to refuse mail that has a 99.9+% chance of being spam. Use it that way. If you want to use it to block access to your ssh server, run it from inetd and put a shim in between to check the CBL. Unless you get a dozen legit SSH logins a minute, that's vastly faster than trying to rsync a rapidly changing three million record file. R's, John
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060611112542.J59518>