Loading ...
Sorry, an error occurred while loading the content.

292523Re: [feature request] Subzero postscreen/dnsblog score to bypass after-220 tests?

Expand Messages
  • Stan Hoeppner
    Apr 12, 2013
    • 0 Attachment
      On 4/12/2013 12:58 AM, /dev/rob0 wrote:
      ...
      > So here's my idea (I think the parameter names are lousy, but it's
      > the best I could come up with this late at night):
      ...

      Or....

      Maybe you could bash script this:

      dig +short txt _netblocks.google.com|sed s/ip4://g \
      |mawk '{for(i=2; i<=(NF-1); i++){print($i)}}'

      which yields this formatted list of Google outbound CIDRs:

      216.239.32.0/19
      64.233.160.0/19
      66.249.80.0/20
      72.14.192.0/18
      209.85.128.0/17
      66.102.0.0/20
      74.125.0.0/16
      64.18.0.0/20
      207.126.144.0/20
      173.194.0.0/16

      then diff this against your postscreen whitelist and append any new
      entries. You'd cron this to a $suitable_interval, say nightly. If/when
      Google adds any new outbound networks you're covered.

      This seems quite a bit less effort than Wietse adding the feature you
      requested. The end result is nearly identical, at least for the Google
      case, and can easily be extended to cover other domains. And with this
      method the Google outbounds skip all Postscreen processing entirely, not
      just the after 220 tests.

      --
      Stan
    • Show all 9 messages in this topic