netbsd-users: Re: DNS-based firewalling?

Subject: Re: DNS-based firewalling?
To: Florian Stoehr <netbsd@wolfnode.de>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: netbsd-users
Date: 01/09/2005 21:06:41
In message <Pine.NEB.4.61.0501100026140.823@irina.net.flo>, Florian Stoehr writ
es:
>Hi,
>
>I want to block all (ALL!) SMTP traffic from the whole "attbi.com" 
>IP address range for my private mail server.
>
>I know this is kinda rude and I also know I can do this in SMTP config.
>
>But I want a "you won't even connect at SMTP" solution in that case :-(
>
>Can anyone recommend a package here / solutions here? Or, on the other 
>hand, is it possible to find out the address range of a provider (for 
>blocking IP-based in ipf then).
>
Well, attbi.com no longer exists, at least in the forward lookup 
direction -- see 
http://faq.comcast.net/faq/answer.jsp?name=17799&cat=Email&subcategory=1
That makes it rather hard to find out what address ranges are involved. 
I have no idea if there are any dns ranges that return PTR records 
saying attbi.com; there shouldn't be, but it's up the operator of each 
inverse zone to decide what they claim to be.

From a more general perspective, you write a script to poll the DNS and 
build an ipf.conf file, or -- according to ipf.conf(5) -- you can put host
names in the ipf.conf file directly.  Note that apart from issues of 
DNS spoofing -- a concern from a security perspective, though I assume 
you're actually concerned here about spam-blocking, since Comcast (the 
actual owner of what was attbi.com) does not filter outbound port 25 -- 
many DNS servers for busy sites will return different addresses at 
different times of day or to different queriers.

Your real challenge is to define what you mean by the "attbi.com address
range".  I suspect that what you're really saying is that you want to 
block all IP addresses allocated to customers of some ISP, but not the 
official mail senders from that ISP.  It may or may not be easy to get 
the information you need.  With a bit of work poking at the databases 
run by the various RIRs, you can probably figure out what address 
blocks are assigned to some ISP.  It's much harder to figure out what 
their mail servers are, though, and they may be within the affected 
block.  (For example, by using 'traceroute -a' towards my address (I'm 
a Comcast customer at home) I found out their AS number; I could use 
that to find what address blocks are within that AS.  But that still 
doesn't tell me all of the official mail senders.)


		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb