Shorewall users - Feb 2003 - Blacklisting ALL except 500 ip''s

I want to blacklist ALL ip''s except approx 500, what is the best way of
doing
this ?
Thanks
Denis Croombs

Denis Croombs wrote:
 > I want to blacklist ALL ip''s except approx 500, what is the best
way
of doing
 > this ?

Install someone else''s firewall product.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Tom Eastep wrote:
> Denis Croombs wrote:
>  > I want to blacklist ALL ip''s except approx 500, what is the
best way
> of doing
>  > this ?
> 
> Install someone else''s firewall product.
> 
Seriously, there is no _good_ way to do that with Shorewall so any way 
that you come up with will be equally horrible.

The exception would be if the 500 IP addresses are nicely grouped into a 
  few neat subnetworks. In that case, you can simply define your
''net''
zone using the hosts file and restrict the zone membership to those 
subnets. That approach is not quite the same as blacklisting since 
blacklisting checks every packet against the blacklist whereas the using 
the hosts file will only check NEW packets.

If the 500 IP addresses are randomly distributed, each packet (or NEW 
packet) will have to run a gauntlet averaging 250 rules. That really sucks.

There is an iptables-like facility available for Linux (I forget the 
name) that may do a better job of this that iptables does since it 
doesn''t rely on sequentially-evaluated rules. To my knowledge, no one 
has hacked Shorewall to try to use the thing though...

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Hi Denis

At 15:13 14/02/03 +0000, Denis Croombs wrote:
>I want to blacklist ALL ip''s except approx 500, what is the best
way of doing
>this ?
Shorewall''s blacklisting function is really meant to allow a few 
problematic IP''s to be blacklisted.

Depending on the details of what you''re trying to do, there''s
probably a
better approach using other features of Shorewall.  If you give us a bit 
more detail I bet someone here will come up with something.

These 500 "whitelisted" IP''s - are they in a continuous
range, or
completely scattered, or what?

What do you want to be able to do with them?  Allow users on your LAN to 
access them?  Or allow them to access services you''re hosting?  What
kind
of services are you talking about - web? mail? FTP?

regards

Julian