[rbldnsd] "default refuse" ACL in rbldnsd 0.996

Anders Henke anders at schlund.de
Thu Jul 6 15:00:36 MSD 2006 

Hi,

I'm experimenting a little bit with the ACL mechanism in rbldnsd and
found out that (using rbldnsd 0.996) default or "catch all other" rules 
by means of "0/0" or "0.0.0.0/0" are being rejected as "invalid
address".

Sample ACL files used:

---cut
:pass
10.0.0.0/8
192.168.0.0/16
172.16.0.0/12

:refuse
0.0.0.0/0
---cut

or

---cut
10.0.0.0/8:pass
192.168.0.0/16:pass
172.16.0.0/12:pass
0.0.0.0/0:refuse
---cut

(at first, I tried 0/0 instead of 0.0.0.0/0 - which also lead to the same error).

Using one of those acl-files results in this startup message:

rbldnsd: listening on 0.0.0.0/53
rbldnsd: file myownacl(22): invalid address
rbldnsd: acl:myownacl: 20060706 103500: ent=12 nodes=19 mem=380
rbldnsd: ip4set:rbldnsd-soa-ns-head,accept.bl: 20060606 143817: e32/24/16/8=1161/464/30/1
rbldnsd: zones reloaded, time 0.0e/0.0u sec, mem arena=316 free=119 mmap=0 Kb
rbldnsd: rbldnsd version 0.996 (19 Feb 2006) started (1 socket(s), 1 zone(s))


As a workaround, I've been successfully using

---cut
:refuse
0.0.0.0/1
128.0.0.0/1
---cut

and

---cut
:refuse
0/1
128/1
---cut

However, I think it's worth adding "real" 0/0-support to ACLs (or at
least document how to create a "default" ACL).

Why this "default refuse"-thing? 

This is commonly used as additional security against e.g. a failing packet filter.
You configure every allowed network as "pass" and refuse "the rest of the world".
If the packet filter fails, the bad guys still won't have access to your service.

Even if you're not keen on that additional security, you can also use
this feature to serve different zones with different levels of access security 
on the same (public) server. Zones, who are only to be available within
your organisation (e.g. your very private zones or zones like rbl+
you're not permitted to distribute), can be given such a "default
reject" ACL and still be served from the same rbldnsd instance.


Anders
-- 
Schlund + Partner AG              Systemadministration und Steinzeitmanagement
Brauerstrasse 48                  v://49.721.91374.50
D-76135 Karlsruhe                 f://49.721.91374.225

More information about the rbldnsd mailing list