[geeks] .hk, .cn, .info considered harmful

Phil Stracchino alaric at metrocast.net
Thu Jun 5 11:56:13 CDT 2008


der Mouse wrote:
>> I'm really not that concerned about mail here.  [...]  I'm looking
>> for a simple way to drop all traffic from these TLDs at the firewall.
> 
> Part of your problem, then, is that you're trying for something
> ill-defined.

Exactly.  And therein lies a major part of the problem.

> Domains don't emit traffic; addresses do.  Whether a given packet comes
> from a given TLD is not well-defined.  The mapping between addresses
> and domains is very, very far from a bijection.
> 
> It sounds to me as though you're actually trying for something more
> like traffic emitted from machines physically in the countries in
> question, but even that is fairly hard; some networks are
> geographically quite dispersed.

Well, in some cases (.cm, .ws being particularly good examples),
geographic location is comparatively irrelevant compared to who controls
the TLD the machine is registered under.

> This is not to say that what you're trying to do can't be approximated
> closely enough to be useful.  Just that looking for a precise way to do
> something imprecisely defined is rather pointless.

Sure.  The key was Jonathan pointing out the "table persistent file"
syntax, which I wasn't previously aware of.  It means I can implement
the filter by adding a handful of lines to my pf.conf instead of several
thousand.


-- 
  Phil Stracchino, CDK#2     DoD#299792458     ICBM: 43.5607, -71.355
  alaric at caerllewys.net   alaric at metrocast.net   phil at co.ordinate.org
         Renaissance Man, Unix ronin, Perl hacker, Free Stater
                 It's not the years, it's the mileage.



More information about the geeks mailing list