Date: Tue, 6 Aug 2019 21:59:21 -0700 (PDT) From: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net> To: Michael Sierchio <kudzu@tenebras.com> Cc: "Rodney W. Grimes" <freebsd-rwg@gndrsh.dnsmgr.net>, "ipfw@FreeBSD.org" <ipfw@freebsd.org>, starikarp@dismail.de Subject: Re: amazonaws Message-ID: <201908070459.x774xLDT085942@gndrsh.dnsmgr.net> In-Reply-To: <CAHu1Y70fb1h2HSE8VxXknG=owZtUGr6YQsQXz3_X2d8b8dUoaw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue, Aug 6, 2019 at 6:23 PM Rodney W. Grimes < > freebsd-rwg@gndrsh.dnsmgr.net> wrote: > > > > Hi! > > > > > > Is it possible to bl;ock compute.amazonasws.com with ipfw firewall. I > > > have a table with many amazonasws IPs but every time when I start > > > Firefox it shows the new one (I am checkong with tcpdump). > > > > Since it is almost impossible to keep up with the IP's.... > > > > This is not even remotely true. > > https://ip-ranges.amazonaws.com/ip-ranges.json > > is kept up-to-date, and you can subscribe to an SNS topic to be notified of > changes: That is ALL amazon address space, not the specific "compute.amazonasws.com" address only. I do not see how you can derive the valid values of this from the presented URL. > arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged > > > > You could put the entire contents, or a portion of it, in an ipfw table and > swap tables atomically upon change. Which would block ALL amazon hosted services, not just the specific that is "compute". # drill compute.amazonasws.com ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 35891 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;; compute.amazonasws.com. IN A ;; ANSWER SECTION: compute.amazonasws.com. 600 IN A 185.53.179.8 ;; AUTHORITY SECTION: amazonasws.com. 172799 IN NS ns2.parkingcrew.net. amazonasws.com. 172799 IN NS ns1.parkingcrew.net. ;; ADDITIONAL SECTION: ns1.parkingcrew.net. 300 IN A 13.248.158.159 Which I believe to be an advertising sprinkler used by all sorts of stuff to spam your browser with a random ad page. > -- > > "Well," Brahm? said, "even after ten thousand explanations, a fool is no > wiser, but an intelligent person requires only two thousand five hundred." > > - The Mah?bh?rata > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- Rod Grimes rgrimes@freebsd.org
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908070459.x774xLDT085942>