Hello development list,
today, I'd like to discuss whether a new feature in the firewall engine of IPFire makes sense or not.
Since Core Update 90, IPFire supports GeoIP based firewall rules, which goes beyond simple IP addresses or CIDR blocks and makes firewalling easier.
The idea I had in mind is to add ASN (Autonomous System Number) support for firewall rules, too.
An AS (Autonomous System) can be described as an administrative instance on top of IP: For example, several IP blocks belong to an AS, i.e. to the same company, university or whatever. Although these blocks may be used for completely different purposes in completely different countries, they share the same owner.
Every AS has a number (ASN) and a description (sometimes abbreviated to ASDescr), while the number is unique.
There are some scenarios in which AS based firewall rules make sense, since AS information change less seldom than IP ranges:
(a) One wants to block malicious traffic, but blocking entire countries is too much since there are some legitimate partners, customers, ... out there. With AS support, it is possible to grant them access by simply permitting their AS. The rest of the country may now safely be blocked.
(b) In some cases, IP ranges change very often, making firewall rules very complex and hard to maintain, or the exact IP address of a machine cannot be determined (dial-up connections). In both cases, the AS (mostly) stays the same and allows firewall rules without permitting access to a whole country.
(c) Rogue ISPs (networks which are controlled/operated by professional spammers or worse, such as the "Russian Business Network" (RBN), which died in end-2007) sometimes run networks located in "good" countries such as US or NL. Blocking them by GeoIP is not an option because of many false-positives. AS based rules may help here.
Since the data behind this can be extracted from BGP feeds, no external databases (such as MaxMind) are required.
Unfortunately, my programming skills are too low for implementing this feature. Thereof, if it is decided to do this, I will need some help here. :-)
Technically, this is similar to the GeoIP firewall stuff (just another database), so I assume most of the work done there can just be copied.
Any thoughts on this idea?
Best regards, Peter Müller