Firewall Setup

[Ioan]

I am trying to find the best way of setting up the firewall rules to
allow reCAPTCHA server side to connect to http://api-verify.recaptcha.net/verify.
I found following wiki page:

http://code.google.com/p/recaptcha/wiki/FirewallsAndRecaptcha

but the recommendations for firewall configuration are not acceptable
by the corporate policies (DNS based rule) or considered too risky
(the list of IPs may change in future). An acceptable solution would
be a list of IPs or single VIP that won't require firewall changes in
future.

I would like to know what are the other options to setup firewalls
for reCAPTCHA.

Thanks,

Ioan

[PJH]

On Thu, Dec 1, 2011 at 9:35 PM, Ioan <ioan....@gmail.com> wrote:

 I would like to know what are the other options to setup firewalls
for reCAPTCHA.

Your corporate policy would appear to be (far) too restrictive (ignoring the fact that you had to look up the URL's you did find due to it - well done for finding them.)

There are no other options beyond changing the policy. Or using a different captcha.

And educating your sysadmins that basing their iptables rules on the results of DNS are doomed to fail. But I think we all know that won't happen.

--
PJH

[Adrian Godong]

What I don't understand is, why blocking outbound ports?

Inbound I understand, but outbound on port 80?

It's like limiting yourself from browsing the Internet.

> --
> You received this message because you are subscribed to the Google Groups
> "reCAPTCHA" group.
> To post to this group, send email to reca...@googlegroups.com.
> To unsubscribe from this group, send email to
> recaptcha+...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/recaptcha?hl=en.

--
Adrian Godong
adrian...@gmail.com

[Ioan]

Hi PJH and thank you for your quick response.

I understand that these policies are restrictive, unfortunately I
don't have much control over these policies. To change these policies
takes a lot of time in certain environments :).
I do have other questions related to this subject:

1. How often the IPs associated with DNS are changed and how usually
these changes are made: only add new IPs or add new IPS + remove old
IPs? How do you communicate these changes to reCaptcha users?

2. I noticed in different places two set of URLs: one set uses
*.recaptcha.net pattern and the other set uses www.google.com/*
pattern. It is safest to use the set with www.google.com/* pattern?
What is the plan with *.recaptcha.net, are you going to retire the
support for these URLs?

Regards,

Ioan

On Dec 1, 7:17 pm, PJH <pauljherr...@gmail.com> wrote:

[PJH]

On Fri, Dec 2, 2011 at 8:17 PM, Ioan <ioan....@gmail.com> wrote:

 1. How often the IPs associated with DNS are changed and how usually
these changes are made: only add new IPs or add new IPS + remove old
IPs? How do you communicate these changes to reCaptcha users?

 

In general, DNS entries change rarely. The specific ones listed for Google haven't changed for months (or years - can't check from here.). Think of DNS as a telephone book relating names(hosts) to telephone numbers(ip addresses) - an individual may not change their phone number for years, or may change it frequently. Google doesn't move frequently. spammer.example.com may move a few times a day.

 

 2. I noticed in different places two set of URLs: one set uses
*.recaptcha.net pattern and the other set uses www.google.com/*
pattern. It is safest to use the set with www.google.com/* pattern?
What is the plan with *.recaptcha.net, are you going to retire the
support for these URLs?

recaptcha.net is already deprecated, if not obsolete. If you're using libraries/plugins/documentation using recaptcha.net then they're out of date. google.com is the canonical host.

--
PJH