DrWho? wrote:
My idea was to use a callback too hook port 80 and use a perl script to reverse lookup the ip address and look for .nz at the end and pass fail there after.
PAINFUL!!
Yes using pearl does not seem a good idea, so I will have to code an extension for iptables. And after all, is not "have a go" the key part of the Linux experience?
If you wanted it hidden you'd have do blackhole the port by default, sniff for attempted connections, look up the address, change firewalling on the fly.. and you're opening yourself up for a huge self-DoS if someone spoofs millions of random SYN packets at you.
That seems to be the conclusion I have come to as well. The SYN attack risk could be reduced by making use of the counters and limiting the number of connection attempts to say 2 and then dropping them there after.
I believe there's a list of IP ranges that are allocated within New Zealand. configure your box to accept those and blackhole everything else. End of problem.
It just seems to be allot of effort for such a fundamental operation.. as I say windows users can do just what I wont to do with very little hassle!! dam frustrating!!
_______________________________________________ wlug mailing list | wlug(a)list.waikato.ac.nz Unsubscribe: http://list.waikato.ac.nz/mailman/listinfo/wlug