On Tue, 04 Dec 2012, in the Usenet newsgroup comp.security.firewalls, in article
<k9m2i0$ug5$
1...@dont-email.me>, meagain wrote:
>Moe Trin wrote:
>> Blocking access FROM the world does not mean blocking your access TO
>> the world - subtle difference, no?
>And I asked for "short".
The short answer is "you can't do so". There are a couple of problems
with IP filtering to _block_ access by country.
1. ARIN, and there-after the four other Regional Internet Registrars
did not assign blocks in a "convenient" manner. Address ranges were
assigned from a range such as 202.x.x.x in an arbitrary manner - more
or less "first come, first assigned". There was no en-mass assignment
of a large block to this country or that. While blocks are being
divided to better administer them,
[fermi ~]$ zgrep CN APNIC.gz | cut -d' ' -f3 | sort | uniq -c | column
10 255.192.0.0 163 255.255.192.0
19 255.224.0.0 258 255.255.224.0
51 255.240.0.0 253 255.255.240.0
106 255.248.0.0 234 255.255.248.0
226 255.252.0.0 326 255.255.252.0
317 255.254.0.0 256 255.255.254.0
382 255.255.0.0 737 255.255.255.0
194 255.255.128.0
[fermi ~]$
the adjacent block is assigned to one of 36 other countries. That
output shows how many networks of each size exist in China - ten /10s
(36.128.0.0 - 36.191.255.255, 39.128.0.0 - 39.191.255.255, 59.192.0.0,
111.0.0.0, 112.0.0.0, 116.128.0.0, 117.128.0.0, 120.192.0.0, 183.0.0.0
and 183.192.0.0) nineteen /11s, fifty-one /12s, and so on down to 737
/24s, and as initially mentioned, they are scattered over the IPv4
address space from 1.0.1.0 to 223.255.253.255. Got a shotgun?
2. The country reported in the registration data is that of the main
office of the registrant, and has no guarantee that the computers are
located in that country. The company I work for is registered in New
York but if you traceroute to our address range, the last IP you see
before hitting the firewall is near San Francisco - yet I'm in the
Phoenix metro area (about 360 miles/600 KM East of Los Angeles), and
systems in our address range are located in 27 other countries around
the world. So are we in New York, the USA, North America or what?
3. You can not count on the DNS name to show country information. In
the first place, there are a lot of network administrators who haven't
figured out how to run a DNS server or think the data to be secret, and
looking up an address will often return a "NXDOMAIN" reply - meaning
"no answer could be found". And contrary to common wisdom, not all
domains in China (or any other country) have a .cn (or similar
ISO-3166) country code as the top level domain - many in fact fit the
common misconception that Internet hostnames all end with ".com".
So, if you want to block China ALONE, you have about 2500 address
ranges to block. If you don't want to use that many, you can use wider
blocks, such as a /8 - China is only in 60 of those 222 blocks. You're
going to have co-lateral damage, by blocking others at the same time,
such as 1.x.x.x/8 which blocks AU, CN, HK, IN, JP, KR, MY, PH, TH,
TW and VN. Some other /8s have more countries, some less.
>I manage a SonicWall firewall with 5 static IP hiding two video
>servers, two video mixers, and a half dozen video editing and
>scheduling computers.
If customers have to access things, get a separate firewall. If access
is limited to employees only, use better access controls. Are you
trying to combat skript kiddiez who attempt to log in to your servers
by trying "root" and a hundred thousand different passwords one after
another? Use one of the "shoot yourself in the a$$" anti-intrusion
programs, like 'BlockHosts', 'DenyHosts', 'fail2ban', 'sshguard' or
similar but set the block times to ten minutes or less - that's enough
to deter the skript kiddiez, and only blocks legitimate users for that
long if they repeatedly screw up. A much better solution is strong
encryption and authentication. Creating "outside" accounts that are
isolated from internal (email) account names is desirable. Teaching
your users to create/use "good" passwords (non-dictionary, mixed
characters/case) helps, and you can use a brute-force password cracker
like 'John-the-ripper' to detect lapses. If worried about one IP
address, or a small range of addresses, use a 'whois' client/tool
[fermi ~]$ whatis whois
whois (1) - client for the whois service
[fermi ~]$
to identify the assigned network, and block that, BUT be aware of
possible co-lateral damage, and performance degradation.
>Yet we have remote access so I can control the servers from anywhere.
Do you travel the world WITHOUT advance notice? I normally have at
least two days to prepare - more than that if I need to get a visa.
Your best bet would be dynamic usernames and passwords - they are used
just once then become invalid to prevent the bad guys from gaining
access through packet sniffing or shoulder surfing. At one time, it
was thought good practice to move the server port to a non-standard
value, but many systems have _OUTBOUND_ filters to block access to all
but a few well-known (standard) ports to avoid nasty things, and that
can block your access from those sites. Best to depend on one-time
authentication, and strong encryption.
>So I don't want to block the world.
Then you have to live with it.
Old guy