On Thursday 09 December 2004 07:19, Kostas Sfakiotakis wrote: > All i mean is that if someone just start's blocking entire ranges , then > he might very well end up unable to surf half the Internet or even more . > Is there a way to block for example the range from > 64.0.0.1 to 64.0.0.25 leaving the other IP's free ? We are talking about blocking incoming connexions. This has no implications for outgoing. In considering your firewall settings, review what services you offer and to whom. At school we have web, incoming and outcoming mail (SMTP and IMAP). And SSH and VPN. Web is theoretically accessible to all. Ditto incoming mail. VPN connexions are only appropriate from our local area. Boss travels the world and wants access to his mail; one way to ensure this is make imap accessible to all. We'll assume nobody needs ssh connexions outside our area. This clarifies what I can and cannot block: I can allow SSH for just our local area, I can allow IMAP to our local area plus the areas the boss is likely to visit, or a means for him to enable it remotely. Note that if you're running your own mail service and have secondary MXes, blocking selected areas with firewall rules is likely to be less effective than you might expect; a significant amount of the spam that gets into my setup does so through a designated MX. I've recently created separate zones in my shorewall rules to be picky about sources of ssh connexions and it's reduced the incidents of failed logins significantly. -- Cheers John Summerfield tourist pics: http://environmental.disaster.cds.merseine.nu/
