On Thursday 09 December 2004 07:19, Kostas Sfakiotakis wrote:
All i mean is that if someone just start's blocking entire ranges , then he might very well end up unable to surf half the Internet or even more . Is there a way to block for example the range from 64.0.0.1 to 64.0.0.25 leaving the other IP's free ?
We are talking about blocking incoming connexions. This has no implications for outgoing.
Using the 64.x.x.x example if you block incoming connections from the hotmail region of IP's then you can't login to your hotmail account and check your email . I was thinking of incoming connections too.
In considering your firewall settings, review what services you offer and to whom.
Am not offering any services since am just a home user . I just have sendmail , which
is listening to lo for connections , running since i need it with fetchmail.
At school we have web, incoming and outcoming mail (SMTP and IMAP). And SSH and VPN.
Web is theoretically accessible to all.
Ditto incoming mail.
VPN connexions are only appropriate from our local area.
Boss travels the world and wants access to his mail; one way to ensure this is make imap accessible to all.
We'll assume nobody needs ssh connexions outside our area.
This clarifies what I can and cannot block: I can allow SSH for just our local area, I can allow IMAP to our local area plus the areas the boss is likely to visit, or a means for him to enable it remotely.
Note that if you're running your own mail service and have secondary MXes, blocking selected areas with firewall rules is likely to be less effective than you might expect; a significant amount of the spam that gets into my setup does so through a designated MX.
I've recently created separate zones in my shorewall rules to be picky about sources of ssh connexions and it's reduced the incidents of failed logins significantly.