Tue Apr 27 10:07:09 NZST 2004
>>My idea was to use a callback too hook port 80 and use a perl script to
>>reverse lookup the ip address and look for .nz at the end and pass fail
Yes using pearl does not seem a good idea, so I will have to code an
extension for iptables.
And after all, is not "have a go" the key part of the Linux experience?
>If you wanted it hidden you'd have do blackhole the port by default, sniff
>for attempted connections, look up the address, change firewalling on the
>fly.. and you're opening yourself up for a huge self-DoS if someone spoofs
>millions of random SYN packets at you.
That seems to be the conclusion I have come to as well. The SYN attack risk
could be reduced by making use of the counters and limiting the number of
connection attempts to say 2 and then dropping them there after.
>I believe there's a list of IP ranges that are allocated within New
>Zealand. configure your box to accept those and blackhole everything else.
>End of problem.
It just seems to be allot of effort for such a fundamental operation.. as I
say windows users can do just what I wont to do with very little hassle!!
>wlug mailing list | wlug@l...
More information about the wlug
NOTICE: This is an archive of a public mailing list. The University of Waikato is not responsible for its contents.