Loading ...
Sorry, an error occurred while loading the content.

Blocking Entire Network

Expand Messages
  • George Rae
    Is it possible to block an entire network (Class C) with REJECT in the access file. Regards George
    Message 1 of 9 , Mar 31, 2006
    • 0 Attachment
      Is it possible to block an entire network (Class C) with REJECT in the
      access file.


      Regards

      George
    • Magnus Bäck
      On Friday, March 31, 2006 at 23:31 CEST, ... Quoting access(5): net.work.addr.ess net.work.addr net.work net Matches the specified IPv4 host address or
      Message 2 of 9 , Mar 31, 2006
      • 0 Attachment
        On Friday, March 31, 2006 at 23:31 CEST,
        George Rae <grae@...> wrote:

        > Is it possible to block an entire network (Class C) with REJECT in the
        > access file.

        Quoting access(5):

        net.work.addr.ess

        net.work.addr

        net.work

        net Matches the specified IPv4 host address or subnetwork.
        An IPv4 host address is a sequence of four decimal
        octets separated by ".".

        Subnetworks are matched by repeatedly truncating the
        last ".octet" from the remote IPv4 host address string
        until a match is found in the access table, or until
        further truncation is not possible.


        --
        Magnus Bäck
        magnus@...
      • Elijah Savage
        ... I prefer to do this type of stuff on the firewall hopefully in front of your mail server when it comes to full blocks like this. -- ... Elijah Savage
        Message 3 of 9 , Mar 31, 2006
        • 0 Attachment
          George Rae wrote:
          > Is it possible to block an entire network (Class C) with REJECT in the
          > access file.
          >
          >
          > Regards
          >
          > George
          >
          I prefer to do this type of stuff on the firewall hopefully in front of
          your mail server when it comes to full blocks like this.

          --
          ----------------------------------------------------------------------
          Elijah Savage | AOL IM:layer3rules
          Senior Network Engineer | When it has to be switched or routed.
          http://www.digitalrage.org | The Information Technology News Center
          ----- http://www.digitalrage.org/?page_id=46 for pgp public key--------
        • John Beaver
          ... If you have to do it within postfix (i.e. no firewall available), you can do this. Use the CIDR table, makes it very easy and also doesn t require a
          Message 4 of 9 , Mar 31, 2006
          • 0 Attachment
            Elijah Savage wrote:
            > George Rae wrote:
            >> Is it possible to block an entire network (Class C) with REJECT in the
            >> access file.
            >>
            If you have to do it within postfix (i.e. no firewall available), you
            can do this. Use the CIDR table, makes it very easy and also doesn't
            require a postfix reload when making changes to the file.

            john
          • mouss
            ... that s debatable. if the client you block is a real mta, you d better reject at smtp level. otherwise, it will retry for 4/5 days... also, it is really bad
            Message 5 of 9 , Mar 31, 2006
            • 0 Attachment
              Elijah Savage wrote:
              > George Rae wrote:
              >> Is it possible to block an entire network (Class C) with REJECT in the
              >> access file.
              >>
              >>
              >> Regards
              >>
              >> George
              >>
              > I prefer to do this type of stuff on the firewall hopefully in front of
              > your mail server when it comes to full blocks like this.
              >

              that's debatable. if the client you block is a real mta, you'd better
              reject at smtp level. otherwise, it will retry for 4/5 days...

              also, it is really bad practice to reject mail to postmaster (or a
              designed address). I already got rejected by systems saying "sorry, ...
              blahblah ... you can contact foo@...", but sending mail to
              foo@... yields the same error.

              In any case, I prefer that your system rejects my mail (so my mta gives
              me a bounce) than sleep/hang/... thus using my resources for no reason.
              you can choose a crusade against spammers, but don't get innocent people
              mad at you.
            • mouss
              ... cidr does require postfix reload.
              Message 6 of 9 , Mar 31, 2006
              • 0 Attachment
                John Beaver wrote:
                > Elijah Savage wrote:
                >> George Rae wrote:
                >>> Is it possible to block an entire network (Class C) with REJECT in the
                >>> access file.
                >>>
                > If you have to do it within postfix (i.e. no firewall available), you
                > can do this. Use the CIDR table, makes it very easy and also doesn't
                > require a postfix reload when making changes to the file.

                cidr does require postfix reload.
              • Elijah Savage
                ... I would agree with this, considering what he asked for I considered his question needed a drastic answer and that he was already at his wits end. My way of
                Message 7 of 9 , Mar 31, 2006
                • 0 Attachment
                  mouss wrote:
                  > Elijah Savage wrote:
                  >> George Rae wrote:
                  >>> Is it possible to block an entire network (Class C) with REJECT in the
                  >>> access file.
                  >>>
                  >>>
                  >>> Regards
                  >>>
                  >>> George
                  >> I prefer to do this type of stuff on the firewall hopefully in front of
                  >> your mail server when it comes to full blocks like this.
                  >>
                  >
                  > that's debatable. if the client you block is a real mta, you'd better
                  > reject at smtp level. otherwise, it will retry for 4/5 days...
                  >
                  > also, it is really bad practice to reject mail to postmaster (or a
                  > designed address). I already got rejected by systems saying "sorry, ...
                  > blahblah ... you can contact foo@...", but sending mail to
                  > foo@... yields the same error.
                  >
                  > In any case, I prefer that your system rejects my mail (so my mta gives
                  > me a bounce) than sleep/hang/... thus using my resources for no reason.
                  > you can choose a crusade against spammers, but don't get innocent people
                  > mad at you.

                  I would agree with this, considering what he asked for I considered his
                  question needed a drastic answer and that he was already at his wits
                  end. My way of handling things like this is in a progressive manner.
                  Meaning some of the first steps would be trying to handle it on the MTA
                  and if no satisfactory progress is made then move to the second phase.
                  It is just my assumption when you are talking about blocking an ENTIRE
                  subnet something like a class C or larger you are way beyond the
                  previous stages, of having tried to contact the remote networks MTA
                  admin, rejecting with the MTA etc etc.

                  But I know everyone does not do it that way and that my way is not
                  necessarily the right way that is just one of many approaches.

                  Also aren't most of these issues debatable? :) Thats like the age old
                  question which Unix is best? Most seasoned veterans I have heard say
                  depends on your task at hand and which one you are most comfortable
                  with. Though most of the time there's a methodical way of reaching that
                  conclusion and each one of us will have a different way and version we
                  pick. :)

                  Mouss you do point out some very good considerations George should way
                  before he jumps to this.

                  --
                  ----------------------------------------------------------------------
                  Elijah Savage | AOL IM:layer3rules
                  Senior Network Engineer | When it has to be switched or routed.
                  http://www.digitalrage.org | The Information Technology News Center
                  ----- http://www.digitalrage.org/?page_id=46 for pgp public key--------
                • mouss
                  ... yes, he seems getting mad after some netblock... of course, if these actively annoy him, a packet-droping approach may be chosen. but he should think of
                  Message 8 of 9 , Mar 31, 2006
                  • 0 Attachment
                    Elijah Savage wrote:
                    >
                    > I would agree with this, considering what he asked for I considered his
                    > question needed a drastic answer and that he was already at his wits
                    > end. My way of handling things like this is in a progressive manner.
                    > Meaning some of the first steps would be trying to handle it on the MTA
                    > and if no satisfactory progress is made then move to the second phase.
                    > It is just my assumption when you are talking about blocking an ENTIRE
                    > subnet something like a class C or larger you are way beyond the
                    > previous stages, of having tried to contact the remote networks MTA
                    > admin, rejecting with the MTA etc etc.
                    >

                    yes, he seems getting mad after some netblock... of course, if these
                    actively "annoy" him, a packet-droping approach may be chosen. but he
                    should think of this long before doing it.

                    > But I know everyone does not do it that way and that my way is not
                    > necessarily the right way that is just one of many approaches.
                    >
                    > Also aren't most of these issues debatable? :)

                    of course! and if it was not, we (at least me) would get less fun:)

                    Thats like the age old
                    > question which Unix is best?

                    <ole>
                    oh no, this is not debatable. the best unix is Windows-XP:)
                    <ole/>
                  • Harvey Smith
                    ... No not really, it doesn t get picked up automatically like the hash tables, but the smtpd processes are relatively short lived. -- Harvey
                    Message 9 of 9 , Apr 1, 2006
                    • 0 Attachment
                      On Sat, Apr 01, 2006 at 01:01:55AM +0200, mouss wrote:
                      > John Beaver wrote:
                      > >Elijah Savage wrote:
                      > >>George Rae wrote:
                      > >>>Is it possible to block an entire network (Class C) with REJECT in the
                      > >>>access file.
                      > >>>
                      > >If you have to do it within postfix (i.e. no firewall available), you
                      > >can do this. Use the CIDR table, makes it very easy and also doesn't
                      > >require a postfix reload when making changes to the file.
                      >
                      > cidr does require postfix reload.

                      No not really, it doesn't get picked up automatically like the hash
                      tables, but the smtpd processes are relatively short lived.

                      --
                      Harvey
                    Your message has been successfully submitted and would be delivered to recipients shortly.