[rbldnsd] "default refuse" ACL in rbldnsd 0.996

Anders Henke anders at schlund.de
Fri Jul 7 18:35:35 MSD 2006 

Am 06.07.2006 schrieb Michael Tokarev:
> > However, I think it's worth adding "real" 0/0-support to ACLs (or at
> > least document how to create a "default" ACL).
> 
> Yup, you're right.  I'll add something into the manpage ;)
> 
> Or maybe it's simpler to recognize some special keyword
> here, like
> 
>  default refuse
>  1.2.3.0/24 pass
>  ...
> 
> ?

Well, both ways would be great.

> Sure it's better to allow things like "0/0 whatever".  But
> with explicit default entry the resulting ACL tree will be
> neater internally as well...

Well, of course you can internally map from "0/0 whatever" to 
"default whatever" before letting 0/0 run through the parser.
Then we'd have both ways done with a single solution.

> Well, an ability to specify default access level is definitely needed,
> there's no question here.

Sorry, I don't know you personally and who's on the list, so I didn't know 
wether I have to go through argumenting every single bit every time (I've been
spending too much time on clueless maintainers recently).
It's good to know that you're very reasonable and know what to watch out for.

> > This is commonly used as additional security against e.g. a failing packet filter.
> > You configure every allowed network as "pass" and refuse "the rest of the world".
> > If the packet filter fails, the bad guys still won't have access to your service.
> 
> Hmm.  I'd strongly suggest to use "ignore" instead of "refuse" here.
> "refuse" means rbldnsd will actually send replies to every incoming packet,
> telling that it refuses to answer.  While "ignore" means it will pretend
> there was no packet received at all.  Makes huge difference, especially
> when you're under attack (being DDoSed with packets coming from random
> fake source addresses).

I'm currently working on purely internal rbldnsd-servers, so that didn't yet 
came to my mind, but the point is also a very good one to mention in the docs 
or the man page.


Anders
-- 
Schlund + Partner AG              Systemadministration
Brauerstrasse 48                  v://49.721.91374.50
D-76135 Karlsruhe                 f://49.721.91374.225

More information about the rbldnsd mailing list