[rbldnsd] "default refuse" ACL in rbldnsd 0.996

[Michael Tokarev]

Anders Henke wrote:
> Hi,
> 
> I'm experimenting a little bit with the ACL mechanism in rbldnsd and
> found out that (using rbldnsd 0.996) default or "catch all other" rules 
> by means of "0/0" or "0.0.0.0/0" are being rejected as "invalid
> address".

Yes, this is a known limitation.  Internally, rbldnsd uses zero-length
prefix as an error indicator.  And sometimes it uses all-zeros IP address
in similar way.  So it isn't easy to fix... ;)
[]
> As a workaround, I've been successfully using
> 
> ---cut
> :refuse
> 0.0.0.0/1
> 128.0.0.0/1
> ---cut
> 
> and
> 
> ---cut
> :refuse
> 0/1
> 128/1
> ---cut
> 
> However, I think it's worth adding "real" 0/0-support to ACLs (or at
> least document how to create a "default" ACL).

Yup, you're right.  I'll add something into the manpage ;)

Or maybe it's simpler to recognize some special keyword
here, like

 default refuse
 1.2.3.0/24 pass
 ...

?

Sure it's better to allow things like "0/0 whatever".  But
with explicit default entry the resulting ACL tree will be
neater internally as well...

> Why this "default refuse"-thing? 

Well, an ability to specify default access level is definitely needed,
there's no question here.

> This is commonly used as additional security against e.g. a failing packet filter.
> You configure every allowed network as "pass" and refuse "the rest of the world".
> If the packet filter fails, the bad guys still won't have access to your service.

Hmm.  I'd strongly suggest to use "ignore" instead of "refuse" here.
"refuse" means rbldnsd will actually send replies to every incoming packet,
telling that it refuses to answer.  While "ignore" means it will pretend
there was no packet received at all.  Makes huge difference, especially
when you're under attack (being DDoSed with packets coming from random
fake source addresses).

/mjt