How to allow IP range? |
Post Reply |
Author | |
Alan
Guest Group |
Post Options
Thanks(0)
Posted: 06 June 2003 at 12:54pm |
What format does an IP range or subnet need to take in the Excluded IP whitelist? I want to included Excluded Domains for certain domains we want unfiltered, but often these domain names are spoofed by spammers, so I would like to exclude them by IP address range instead. |
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
Alan, A simple DOS-like wildcard entry will do the job. For ex. to exclude the Class C 1.2.3.1-1.2.3.255 just add: 1.2.3.* so any IP starting with 1.2.3. will trigger a match. Roberto Franceschetti |
|
Alan
Guest Group |
Post Options
Thanks(0)
|
But I only want a specific range of addressing. for instance how would I enter a range like xxx.yyy.13.121 to xxx.yyy.13.126?
|
|
LogSat
Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104 |
Post Options
Thanks(0)
|
The domain/IP whitelist is treated as a string, so only string-type wildcards are allowed. It is not possible to enter IP ranges. This was by design, as it's rather unusual having to allow specific IPs but not adjacent ones in the same subnet, and designing the functionality as we did optimized our lookups a little bit. Roberto F. |
|
George
Guest Group |
Post Options
Thanks(0)
|
This is something that could be done at the router with the access control list. You would have better control. The only drawback is any messages that come from the blocked IP's would not be quarantined since the connection would not be allowed past the router. If you don't have access to the router you would have the have your provider do it for you.
|
|
Desperado
Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
|
Geroge, Most, if not all backbone providers have a policy that won't allow them to block SOURCE addresses, only DESTINATION address. This is to prevent possible liability suits. This is even true in the case of a DOS attack. The provider will prevent ANY traffic to the IP or IP's on YOUR network. They also tend to schedule a "release" ot the block. I know of no providers that will actualy block an IP just for port 25. It would be to "costly" for them due to the large number of customers. I think your first choice of putting a block in HIS router is the corect answer and if the address is actually being spoofed, the block may not work anyway. We try to keem ACL's at a minimum on all our routers due to the high overhead. Prefix lists are somewhat easier to manage but still, I thin the block should be at the SMTP server itself. The only other answer it to hunt down and seriously wound any and all Spammers and hackers. I get tired of fighting jerks all the time. Thats another discussion. Dan S. |
|
George
Guest Group |
Post Options
Thanks(0)
|
Hmmm, |
|
Alan
Guest Group |
Post Options
Thanks(0)
|
George i am not trying to block IP ranges, I am looking at a way to allow certain IP ranges to bypass filtering. Right now it appears the only way is to manually enter all the IP's in thet IP range.
|
|
Post Reply | |
Tweet
|
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.254 seconds.