[rbldnsd] Excluding a CIDR range
Chris Gabe
chris at borderware.com
Fri Dec 2 01:59:39 MSK 2005
Matthew Sullivan wrote:
> Chris Gabe wrote:
>
>> It seems that the ! directive works only on individual ip addresses,
>> not address ranges.
>> I need to exclude a long list of CIDRs, effectively something like this
>> !1.2/16
>> !3.4.5/24
>> .... (many more entries)
>> Short of expanding these all out, is there any way to effect this?
>>
> This one can be answered in the archives...
>
> exclusions will always work if the CIDR mask is smaller than 24 (ie 25
> -> 32). However because of the way rbldnsd stores each entry
> internally if you have the following:
>
> 1.2.0.0/16
> !1.2.3.0/24
> 1.3.4.128/25
> !1.3.4.0/24
> 1.4.4.0/22
> !1.4.5.0/24
>
> Then the range 1.2.3.0/24 *will* be excluded,. but 1.3.4.128/25 *will
> not* be excluded, and 1.4.5.0/24 *will* be excluded. The boundaries
> for this behavior are /8, /16 and /24.
>
> Regards,
>
> Mat
>
> PS: I still think we should have some sort of 'super exclude' which
> always overrides so people can whitelist their own ranges there the
> MTA has no mechanism for this.
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd
So there's a problem implementing exclude within the normal include
framework.
To turn the problem around, since rbldnsd is so good at *includes*, why
not have an agreed ip address like 0.255.9.9 (or even a special
nonsensical A or TXT result) that means "clear any A records already
encountered, return no A record". Then you could have
:0.255.9.9
1.2/16
etc
meaning in effect, exclude 1.2/16 etc. Then the excludes don't need to
worry about the way rbldnsd stores stuff, it just rewinds and kicks out
when it encounters the ip.
Or maybe
:127.0.0.2:excludehereafter
--
Chris Gabe Phone: 905-804-1855 x283
Manager, Borderware Security Network Fax: 905-804-1865
Borderware Technologies Inc. http://www.borderware.com
More information about the rbldnsd
mailing list