From: "Peter Müller" <peter.mueller@link38.eu>
To: development@lists.ipfire.org
Subject: ASN support for iptables
Date: Sun, 19 Nov 2017 15:52:14 +0100 [thread overview]
Message-ID: <20171119155214.17e06a7c.peter.mueller@link38.eu> (raw)
[-- Attachment #1: Type: text/plain, Size: 2321 bytes --]
Hello development list,
today, I'd like to discuss whether a new feature in
the firewall engine of IPFire makes sense or not.
Since Core Update 90, IPFire supports GeoIP based firewall
rules, which goes beyond simple IP addresses or CIDR blocks
and makes firewalling easier.
The idea I had in mind is to add ASN (Autonomous System
Number) support for firewall rules, too.
An AS (Autonomous System) can be described as an administrative
instance on top of IP: For example, several IP blocks belong
to an AS, i.e. to the same company, university or whatever.
Although these blocks may be used for completely different purposes
in completely different countries, they share the same owner.
Every AS has a number (ASN) and a description (sometimes
abbreviated to ASDescr), while the number is unique.
There are some scenarios in which AS based firewall rules
make sense, since AS information change less seldom than
IP ranges:
(a) One wants to block malicious traffic, but blocking entire
countries is too much since there are some legitimate partners,
customers, ... out there. With AS support, it is possible to
grant them access by simply permitting their AS. The rest of
the country may now safely be blocked.
(b) In some cases, IP ranges change very often, making firewall
rules very complex and hard to maintain, or the exact IP address
of a machine cannot be determined (dial-up connections). In
both cases, the AS (mostly) stays the same and allows firewall
rules without permitting access to a whole country.
(c) Rogue ISPs (networks which are controlled/operated by professional
spammers or worse, such as the "Russian Business Network" (RBN),
which died in end-2007) sometimes run networks located in "good"
countries such as US or NL. Blocking them by GeoIP is not an
option because of many false-positives. AS based rules may help
here.
Since the data behind this can be extracted from BGP feeds,
no external databases (such as MaxMind) are required.
Unfortunately, my programming skills are too low for implementing
this feature. Thereof, if it is decided to do this, I will need
some help here. :-)
Technically, this is similar to the GeoIP firewall stuff (just
another database), so I assume most of the work done there can
just be copied.
Any thoughts on this idea?
Best regards,
Peter Müller
next reply other threads:[~2017-11-19 14:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-19 14:52 Peter Müller [this message]
2017-11-19 15:58 ` Michael Tremer
2017-11-20 19:03 ` Peter Müller
2017-11-21 13:12 ` Michael Tremer
2017-11-24 18:31 ` Peter Müller
2017-11-28 14:49 ` Michael Tremer
2017-12-04 16:47 ` Peter Müller
2017-12-05 17:29 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171119155214.17e06a7c.peter.mueller@link38.eu \
--to=peter.mueller@link38.eu \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox