On Wed, Mar 21, 2007 at 01:36:17PM -0400, H.S. wrote: > Andrew Sackville-West wrote: > > > > >nice to know that the connection is holding up, but there's got to be > >a better way to do this. I'm not really up on iptables, but surely > >there is some better way to distinguish the traffic to allow or not? > >Maybe even just some judicious grepping of the rule set for partial > >matches that could be lumped together? > > > >It seems that your operating on a default allow scenario with a bunch > >of rules to delineate the deny situations. maybe you could go the > >other way? default deny with a limited number of rules of what to > >allow? > > I am already working with default deny. The ip ranges in the list > provided by peerguarding need to be blocked -- so any traffic (not only > NEW) from or to those ipranges is to be blocked. So either I block them > all, or I allow all the rest. In either case, I see a huge bunch of > rules being put in iptables (and I don't have an ip range list for the > latter choice). Or am I missing something? I'm sorry, but what exactly is the purpose here? I did a little poking around and it looks like just a massive list of ip's to block, but for what purpose? I'm not trying to say that this is not the right solution for whatever your problem is, but it certainly seems very brute force. Hence my questions. A
Attachment:
signature.asc
Description: Digital signature