Hi All, Not too far OT I dont think, but could someone point me in the right direction, or tell me how I could accomplish the following with the shorewall blacklisting... I, like most of you no doubt geet a lot of attacks from certain IP blocks, how can I block a whole block range without typing in xxx lines of IP addresses - Bit unsure regarding the /8 /25 /16 widths etc..I think this is a way to ban subnets.. For example.. I currently get port attacks from: 211.92.248.0 - 211.92.251.255 Well...from 211.92.251.19, but the inet range is the above from a whois query, so, I would like to ban the whole subnet using the blacklist Any info where to look much appreciated. Thanks in advance Andy
John Stroud
2002-Feb-09 14:31 UTC
[Shorewall-users] Blacklist - banning complete subnets ?
Hiya, Without getting into other ideas on how to approach undesirable traffic from our overseas friends, this is what will block those ranges. This block is in China, I believe. ::/etc/shorewall/blacklist:: ===========================211.92.248.0/24 211.92.249.0/24 211.92.250.0/24 211.92.251.0/24 =========================== Good luck! JCS -----Original Message----- From: shorewall-users-admin@shorewall.net [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Andy Sent: Saturday, February 09, 2002 6:21 AM To: shorewall-users@shorewall.net Subject: [Shorewall-users] Blacklist - banning complete subnets ? Hi All, Not too far OT I dont think, but could someone point me in the right direction, or tell me how I could accomplish the following with the shorewall blacklisting... I, like most of you no doubt geet a lot of attacks from certain IP blocks, how can I block a whole block range without typing in xxx lines of IP addresses - Bit unsure regarding the /8 /25 /16 widths etc..I think this is a way to ban subnets.. For example.. I currently get port attacks from: 211.92.248.0 - 211.92.251.255 Well...from 211.92.251.19, but the inet range is the above from a whois query, so, I would like to ban the whole subnet using the blacklist Any info where to look much appreciated. Thanks in advance Andy _______________________________________________ Shorewall-users mailing list Shorewall-users@shorewall.net http://www.shorewall.net/mailman/listinfo/shorewall-users Tracking #: C3BC54F2242209479440F6EB9432D10C0C395100
The /8 , /16, etc refers to the number of leading 1 bits in the subnet mask. To determine the subnet mask that will cover 211.92.248.0 - 211.92.251.255, convert the third number in each address to binary: 248 = 11111000 251 = 11111011 So the proper mask for that position is 11111100 = 252. Now 255.255.252.0 has 22 leading ones so the proper entry in your blacklist file is: 211.92.248.0/22. -Tom> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of Andy > Sent: Saturday, February 09, 2002 6:21 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Blacklist - banning complete subnets ? > > > Hi All, > Not too far OT I dont think, but could someone point me in the right > direction, or tell me how I could accomplish the following with the > shorewall blacklisting... > > I, like most of you no doubt geet a lot of attacks from > certain IP blocks, > how can I block a whole block range without > typing in xxx lines of IP addresses - Bit unsure regarding > the /8 /25 /16 > widths etc..I think this is a way to ban subnets.. > For example.. I currently get port attacks from: 211.92.248.0 - > 211.92.251.255 > > Well...from 211.92.251.19, but the inet range is the above > from a whois > query, so, I would like to ban the whole subnet using the blacklist > > Any info where to look much appreciated. > > > Thanks in advance > > > Andy > > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@shorewall.net > http://www.shorewall.net/mailman/listinfo/shorewall-users >
Patrick Benson
2002-Feb-09 14:56 UTC
[Shorewall-users] Blacklist - banning complete subnets ?
Andy wrote:> > Hi All, > Not too far OT I dont think, but could someone point me in the right > direction, or tell me how I could accomplish the following with the > shorewall blacklisting... > > I, like most of you no doubt geet a lot of attacks from certain IP blocks, > how can I block a whole block range without > typing in xxx lines of IP addresses - Bit unsure regarding the /8 /25 /16 > widths etc..I think this is a way to ban subnets.. > For example.. I currently get port attacks from: 211.92.248.0 - > 211.92.251.255That would be 211.92.248.0/22...> Well...from 211.92.251.19, but the inet range is the above from a whois > query, so, I would like to ban the whole subnet using the blacklist > > Any info where to look much appreciated.http://www.subnetonline.com/subnet/subnet.html Look for online IP/Network calculators on Google. There are loads of them. -- Patrick Benson Stockholm, Sweden