Hello all gurus, I have a question, and I do not know if it has every been asked. I am wondering if shorewall has the capablility to use GEOip. I have an extensive blacklist that keeps growing and growing by the month. I was wondering if there was any capablility of using GEOip or any plans in the future. Thanks Shorewall Administrator. ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Sunday 23 October 2005 17:57, Shorewall Admin User wrote:> Hello all gurus, > > I have a question, and I do not know if it has every been asked. I am > wondering if shorewall has the capablility to use GEOip.Not directly -- but any Netfilter match can be used by combining an action with an extension script (see http://www.shorewall.net/Actions.html.> I have an > extensive blacklist that keeps growing and growing by the month. I was > wondering if there was any capablility of using GEOip or any plans in the > future.I personally dislike the whole idea of the geoip match and have no plans to add explicit Shorewall support for it. The thought of: REJECT net:geo=Kansas all offends me. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Shorewall Admin User escribió:> Hello all gurus, > > I have a question, and I do not know if it has every been asked. I am > wondering if shorewall has the capablility to use GEOip.No. I have an> extensive blacklist that keeps growing and growing by the month.Don''t do that. If you believe blacklisting a whole country is a good thing for your customers or you security,then you are **wrong** blacklisting is useful only for **certain situations**, and blacklisting whole countries or ISPs give you a false sense of security.. somebody using 1 IP address from the rest of the internet(ie.a compromised server on the huge remaining ip address space) can crack your machines, and an expert attacker can fake his source ip address (BTW..that''s a piece of cake..) "From a security perspective, if you''re connected, you''re screwed." -djb I was> wondering if there was any capablility of using GEOip or any plans in the > future.I think Tom is not going to implement such thing.> Thanks > Shorewall Administrator.gee.. **we** are the "shorewall adminstrators" :-P -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''
Tom Eastep wrote:> ... > I personally dislike the whole idea of the geoip match and have no plans to > add explicit Shorewall support for it. The thought of: > > REJECT net:geo=Kansas all > > offends me.Are you originally from Kansas? :-) Paul ------------------------------------------------------- This SF.Net email is sponsored by the JBoss Inc. Get Certified Today * Register for a JBoss Training Course Free Certification Exam for All Training Attendees Through End of 2005 Visit http://www.jboss.com/services/certification for more information
On Sunday 23 October 2005 18:48, Paul Gear wrote:> Tom Eastep wrote: > > ... > > I personally dislike the whole idea of the geoip match and have no plans > > to add explicit Shorewall support for it. The thought of: > > > > REJECT net:geo=Kansas all > > > > offends me. > > Are you originally from Kansas? :-) >No -- the OP''s domain is registered at a Kansas address. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key