[Devel] Re: [Users] NEW FEATURE: IP blacklists

Bogdan-Andrei Iancu bogdan at voice-system.ro
Tue Apr 3 10:22:34 CEST 2007


Hi Ovidiu,

make sense :) I will have it on my todo list for 1.3

thanks and regards,
bogdan

Ovidiu Sas wrote:
> yeah ... I aready did that :)
> but since you were asking for suggestions ...
>
>
> Regards,
> Ovidiu Sas
>
> On 2/14/07, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
>> Hi Ovidiu,
>>
>> yes, it will help, I agree, but you could just disable it :
>>
>> http://openser.org/dokuwiki/doku.php/core-cookbook:devel#disable_dns_blacklist 
>>
>>
>> Regards,
>> Bogdan
>>
>> Ovidiu Sas wrote:
>> > Hi Bogdan,
>> >
>> > Maybe a fifo command for removing a dns blacklist will help ...
>> > Right now, if I don't want to wait 4 min., I need to restart the
>> > server if I want to get rid of a dns blacklist.
>> >
>> >
>> > Regards,
>> > Ovidiu Sas
>> >
>> > On 1/30/07, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
>> >> Hi everybody,
>> >>
>> >> OpenSER 1.2.0 has new feature - IP Blacklist support. This is a low
>> >> level filtering engine for the outgoing requests; low level, 
>> because the
>> >> filtering is done based on IP, protocol, port, etc.
>> >> Its primary purposes will be to prevent sending requests to 
>> critical IPs
>> >> (like GWs) due DNS or to avoid sending to destinations that are 
>> known to
>> >> be unavailable (temporary or permanent).
>> >>
>> >> Because of flexibility concerns, the filtering rules can be groups
>> >> inside multiple lists.
>> >>
>> >> A rule:
>> >>   - matches based on IP/mask, proto, port and text pattern criteria
>> >>   - can be reversed applied
>> >>
>> >> A list:
>> >>   - can be read-only - it does not change during execution
>> >>   - have timeout per elements - elements expires after a configured
>> >> timeout.
>> >>
>> >>
>> >> How to use:
>> >> ===========
>> >>
>> >> currently there are 2 ways of using the blacklists:
>> >>
>> >> 1) statically defining list in the configuration file and selecting
>> >> which ones should be used for each request.
>> >>
>> >> You can define blacklists as follow:
>> >>     # filter out requests going to ips of my gws
>> >>     dst_blacklist = gw:{( tcp , 192.168.2.100 , 5060 , "" ),( any ,
>> >> 192.168.2.101 , 0 , "" )}
>> >>     # block requests going to "evil" networks
>> >>     dst_blacklist = net_filter:{ ( any , 
>> 192.168.1.100/255.255.255.0 , 0
>> >> , "" )}
>> >>     # block message requests with nasty words
>> >>     dst_blacklist = msg_filter:{ ( any , 
>> 192.168.20.0/255.255.255.0 , 0
>> >> , "MESSAGE*ugly_word" )}
>> >>     # block requests not going to a specific subnet
>> >>     dst_blacklist = net_filter2:{ !( any , 
>> 192.168.30.0/255.255.255.0 ,
>> >> 0 , "" )}
>> >>
>> >> a rule is defined by:
>> >>     protocol : TCP, UDP, TLS or "any" for anything
>> >>     port : number or 0 for any
>> >>     ip/mask
>> >>     test patter - is a filename like matching (see  "man 3 fnmatch")
>> >> applied on the outgoing request buffer (first_line+hdrs+body)
>> >>
>> >>  From routing script, you can use the use_blacklist("name") 
>> function to
>> >> select what blacklist to be applied for the current request. More 
>> than
>> >> one list can be selected.
>> >>
>> >> If the destination address matches on of the selected rules, the send
>> >> will fail.
>> >>
>> >>
>> >> 2) via DNS
>> >>
>> >> The DNS resolver, when configured with failover, can automatically 
>> store
>> >> in a temporary blacklist the failed destinations. This will 
>> prevent (for
>> >> a limited period of time) openser to send requests to destination 
>> known
>> >> as failed.
>> >> So, the blacklist can be used as a memory for the DNS resolver.
>> >>
>> >> To use it, you have to enabled it - the rest is done automatically.
>> >>     disable_dns_blacklist = no
>> >>
>> >> By default is enabled. The temporary blacklist created by DNS 
>> resolver
>> >> is named "dns" and it is by default selected for usage (no need 
>> use the
>> >> use_blacklist() function. The rules from this list have a life 
>> time of 4
>> >> minutes - you can change it at compile time, from blacklists.h .
>> >>
>> >>
>> >>
>> >> To give you an internal snapshot, a new MI function - 
>> "list_blacklists"
>> >> - was added to print all existent blacklists and their rules.
>> >>
>> >>
>> >> Any suggestions/reports are welcome!
>> >>
>> >> regards,
>> >> bogdan
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> Users at openser.org
>> >> http://openser.org/cgi-bin/mailman/listinfo/users
>> >>
>> >
>>
>>
>




More information about the Devel mailing list