In article <fsudnQfIDpl0joffRVn-tQ.DeleteThis@comcast.com>, Eric wrote:
>Yes, you are right, once the number of rules gets large performance drops
>like a stone. What we need is some kind of a program to scan all the IP
>blocks in a file and distill them down to as few "all encompassing" blocks
>as possible, like what you said about the 3 rules for korea.
Wellll.... it depends on how wide a range of collateral damage you want
to accept. And the only way to see that is to look at the zonefiles, and
say "what if". For example
[compton ~]$ zgrep -E ' 211\.(128|1[3-9][0-9]|2[0-5][0-9])'
IP.ADDR/stats/APNIC.gz | cut -d' ' -f1 | sort -u
CN
JP
KR
[compton ~]$
If you shut down 211.128.0.0/15, that only hits some entries for three
countries. Taking all of 211.0.0.0/16 gets
[compton ~]$ zgrep ' 211\.[0-9]*' IP.ADDR/stats/APNIC.gz | cut -d' ' -f1 |
sort -u
AU
CN
JP
KR
MY
TW
[compton ~]$
See what I mean? If you don't need anything from the APNIC region, maybe
the 6 mask solution I mentioned originally might be a good starting point,
as there aren't that many blocks used by (example, Korea) outside of the
classic 58/7, 60/7, 202/7, 211/7, 218/7, 220/6. On the other hand, if you
need all (or at least some part) of some country within that block, using
ACCEPT rules ahead of the REJECT rules in the firewall may be a solution.
>I understand the basics of CDIR but I dont understand how you took a range
>like 211.168.0.0 - 211.255.255.255 and made 3 rules out of it
>I would have come up with: 211.168.0.0/9
Jim Hayter <see.reply.to.DeleteThis@nowhere.invalid> explained it in the other answer
to your post. If you are not as comfortable with masks like this, see
RFC1878 which lists many masks, and the ranges they encompass. It takes a
little getting used to, but when you use it frequently enough it's almost
transparent. You can grab RFC1878 (and 1519 for that matter) off any RFC
mirror, such as
<a style='text-decoration: underline;' href="http://www.ietf.org/rfc/rfc0000.txt" target="_blank">http://www.ietf.org/rfc/rfc0000.txt</a>
<a style='text-decoration: underline;' href="http://www.faqs.org/rfcs/rfc0000.html" target="_blank">http://www.faqs.org/rfcs/rfc0000.html</a>
<a style='text-decoration: underline;' href="http://www.rfc-editor.org/rfc/rfc0000.txt" target="_blank">http://www.rfc-editor.org/rfc/rfc0000.txt</a>
<a style='text-decoration: underline;' href="http://www.ccd.bnl.gov/network/general/rfc0000.html" target="_blank">http://www.ccd.bnl.gov/network/general/rfc0000.html</a>
<a style='text-decoration: underline;' href="http://www.cis.ohio-state.edu/htbin/rfc/rfc0000.html" target="_blank">http://www.cis.ohio-state.edu/htbin/rfc/rfc0000.html</a>
Replace the zeros with the _four_ digit document number you need (leading
zeros below 1000). <a style='text-decoration: underline;' href="http://www.iana.org/assignments/ipv4-address-space" target="_blank">http://www.iana.org/assignments/ipv4-address-space</a> is
also a good document to have.
That also gives some indication of how much a problem there is trying to
say that this block belongs to country $FOO, and that one to $BAR. Heck,
there isn't even a clean division of continents, never mind countries, and
that even ignores the historical assignment of blocks, which is how the
Taiwan Academic Network got large chunks in the 163.0.0.0/11 range, along
with a US .mil block, colleges in the Americas and Europe, the Sydney (.au)
electricity board, and the French National Railways.
Old guy<!-- ~MESSAGE_AFTER~ -->
FAQ
Profile
Private Messages
Log in
