netbsd-users: Re: DNS-based firewalling?

Subject: Re: DNS-based firewalling?
To: Steven M. Bellovin <smb@cs.columbia.edu>
From: Florian Stoehr <netbsd@wolfnode.de>
List: netbsd-users
Date: 01/10/2005 09:23:57
On Sun, 9 Jan 2005, Steven M. Bellovin wrote:

> In message <Pine.NEB.4.61.0501100026140.823@irina.net.flo>, Florian Stoehr writ
> es:
>> Hi,
>>
>> I want to block all (ALL!) SMTP traffic from the whole "attbi.com"
>> IP address range for my private mail server.
>>
>> I know this is kinda rude and I also know I can do this in SMTP config.
>>
>> But I want a "you won't even connect at SMTP" solution in that case :-(
>>
>> Can anyone recommend a package here / solutions here? Or, on the other
>> hand, is it possible to find out the address range of a provider (for
>> blocking IP-based in ipf then).
>>
> Well, attbi.com no longer exists, at least in the forward lookup
> direction -- see
> http://faq.comcast.net/faq/answer.jsp?name=17799&cat=Email&subcategory=1
> That makes it rather hard to find out what address ranges are involved.
> I have no idea if there are any dns ranges that return PTR records
> saying attbi.com; there shouldn't be, but it's up the operator of each
> inverse zone to decide what they claim to be.

Well, OK, assume "videotron.ca", "*.biz" or whatever here.

>
>> From a more general perspective, you write a script to poll the DNS and
> build an ipf.conf file, or -- according to ipf.conf(5) -- you can put host
> names in the ipf.conf file directly.

Yes, but unfortunately it doesn't accept "wildcards" here.

block in quick from *.biz to any :-)

> Note that apart from issues of
> DNS spoofing -- a concern from a security perspective, though I assume
> you're actually concerned here about spam-blocking, since Comcast (the
> actual owner of what was attbi.com) does not filter outbound port 25 --
> many DNS servers for busy sites will return different addresses at
> different times of day or to different queriers.
>
> Your real challenge is to define what you mean by the "attbi.com address
> range".  I suspect that what you're really saying is that you want to
> block all IP addresses allocated to customers of some ISP, but not the
> official mail senders from that ISP.

Yes, I'd like to do basically kinda

/.*videotron\.ca.*/
     REJECT

in Postfix does.

Really important on those machines for me is "*.de" and "netbsd.org", so 
it's not a problem if I block entire *.biz for example. I can live with 
missing a "real" mail from them.

> It may or may not be easy to get
> the information you need.  With a bit of work poking at the databases
> run by the various RIRs, you can probably figure out what address
> blocks are assigned to some ISP.  It's much harder to figure out what
> their mail servers are, though, and they may be within the affected
> block.  (For example, by using 'traceroute -a' towards my address (I'm
> a Comcast customer at home) I found out their AS number; I could use
> that to find what address blocks are within that AS.  But that still
> doesn't tell me all of the official mail senders.)
>
>
> 		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Hm, guess I'll take the code of "portfwd" and rewrite it to do a DNS 
lookup and compare agains a blacklist before forwarding to the real SMTP.

Not what I call a "packet filter" but still effective in my case.

Thanks anyway.
-Florian