[rbldnsd] Excluding a CIDR range
Chris Gabe
chris at borderware.com
Fri Dec 2 04:49:26 MSK 2005
On Dec 1, 2005, at 6:56 PM, Matthew Sullivan wrote:
> furio ercolessi wrote:
>
>> On Fri, Dec 02, 2005 at 10:15:33AM +1100, Matthew Sullivan wrote:
>>
>> Superexclude should not replace the current exclude, so it should
>> be notated differently. Let us temporarily indicate it with !!
>>
> Agreed.
>
>>> At this point remember that everyone has their own zone format,
>>> eg SORBS will create the zones with includes first and excludes
>>> afterwards. Also what do you do if you see:
>>>
>>> 1/8
>>> !1.2/16
>>> 1.2.3/24
>>>
>>> Personally I would expect, to exclude 1.2/16 from 1/8 but include
>>> 1.2.3/24 specifically....
>>
>> I agree (this is what it does, right?), but
>>
> IIRC no because of the net boundaries in the internal structures
> 1/8 would be listed. (Michael correct me if I'm wrong please ;-))
Well, I tried the above and found that 1.2.2.2 is excluded and
1.2.3.4 is included.
However, I think Matthew is right there are issues with the /8/16/24
boundaries. My issue is even simpler case
1.2.3.4
!1.2.3/24
Then 1.2.3.4 is included, and I wouldn't want that. So, my ISP that
uses mail-abuse that lists DULs can't exclude his own DULs by CIDRs.
>> 1/8
>> !!1.2/16
>> 1.2.3/24
>>
>> should not list 1.2.3/24, because !!1.2/16 wins -- it is a
>> superexclude.
>>
> If you have super exclude yes.
Well, yes, the !! is a cleaner and more general concept but it's
going down a path of logical debate which isn't the problem I really
worried about. The above /24 example is. What I believe I need is
"I don't care what came before, or what would have come after, we're
done, this is not a match, stop". (*)
So, from an implementation point of view, if there were something
that just checked every match for a particular result, one single
comparison to a hard and fast ip, say 0.255.9.9, so that
:0.255.9.9:excludeme
x.y.z/whatever
would always stop processing the moment it hit something matching
x.y.z/whatever. It ought to be easy to implement, as it uses the
include detection mechanism (which is always without question going
to work) and has a single 4 byte word comparison I would think on
each match detected.
(*) Maybe it's not that simple, maybe I don't want that. But it
seems to be the case. For example, ISP uses mail-abuse.org that
lists DULs. ISP customers are DULs. Wants to allow them through in
spite of being listed on mail-abuse, even if they have other worse
issues than being DULs. I suppose the next request they will have is
"let my own DULs through if that (DUL) is the only reason they are
listed". But given that mail-abuse doesn't distinguish the reasons
necessarily, that seems impossible.
I hope I'm making some sense, it's not imperative that any of this is
the way to solve the problem. Obviously the MTA can provide other
mechanisms to avoid the RBL check entirely... We'll do that in the
long run. We are actually the vendor of the MTA software in this
case, as well as the rbldnsd, but one can't necessarily change such
commercial software in a flash.
>>> seems a reasonable request, but how about if we do this:
>>>
>>> 1/8
>>> 1.2.3/24
>>> !1.2/16
>>>
>>> Would this be handled differently?
>>>
>>
>> I would not expect the result depend on the order under any
>> circumstance.
>>
> Good, nor I.
>
> _______________________________________________
> rbldnsd mailing list
> rbldnsd at corpit.ru
> http://www.corpit.ru/mailman/listinfo/rbldnsd
________________________________________________________________________
Chris Gabe Manager, Borderware
Security Network
Phone: 905-804-1855 x283 Fax: 905-804-1865
Borderware Technologies Inc. http://www.borderware.com
More information about the rbldnsd
mailing list