[Devel] Re: [Users] NEW FEATURE: IP blacklists

Ovidiu Sas sip.nslu at gmail.com
Wed Feb 14 18:59:00 CET 2007


yeah ... I aready did that :)
but since you were asking for suggestions ...


Regards,
Ovidiu Sas

On 2/14/07, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
> Hi Ovidiu,
>
> yes, it will help, I agree, but you could just disable it :
>
> http://openser.org/dokuwiki/doku.php/core-cookbook:devel#disable_dns_blacklist
>
> Regards,
> Bogdan
>
> Ovidiu Sas wrote:
> > Hi Bogdan,
> >
> > Maybe a fifo command for removing a dns blacklist will help ...
> > Right now, if I don't want to wait 4 min., I need to restart the
> > server if I want to get rid of a dns blacklist.
> >
> >
> > Regards,
> > Ovidiu Sas
> >
> > On 1/30/07, Bogdan-Andrei Iancu <bogdan at voice-system.ro> wrote:
> >> Hi everybody,
> >>
> >> OpenSER 1.2.0 has new feature - IP Blacklist support. This is a low
> >> level filtering engine for the outgoing requests; low level, because the
> >> filtering is done based on IP, protocol, port, etc.
> >> Its primary purposes will be to prevent sending requests to critical IPs
> >> (like GWs) due DNS or to avoid sending to destinations that are known to
> >> be unavailable (temporary or permanent).
> >>
> >> Because of flexibility concerns, the filtering rules can be groups
> >> inside multiple lists.
> >>
> >> A rule:
> >>   - matches based on IP/mask, proto, port and text pattern criteria
> >>   - can be reversed applied
> >>
> >> A list:
> >>   - can be read-only - it does not change during execution
> >>   - have timeout per elements - elements expires after a configured
> >> timeout.
> >>
> >>
> >> How to use:
> >> ===========
> >>
> >> currently there are 2 ways of using the blacklists:
> >>
> >> 1) statically defining list in the configuration file and selecting
> >> which ones should be used for each request.
> >>
> >> You can define blacklists as follow:
> >>     # filter out requests going to ips of my gws
> >>     dst_blacklist = gw:{( tcp , 192.168.2.100 , 5060 , "" ),( any ,
> >> 192.168.2.101 , 0 , "" )}
> >>     # block requests going to "evil" networks
> >>     dst_blacklist = net_filter:{ ( any , 192.168.1.100/255.255.255.0 , 0
> >> , "" )}
> >>     # block message requests with nasty words
> >>     dst_blacklist = msg_filter:{ ( any , 192.168.20.0/255.255.255.0 , 0
> >> , "MESSAGE*ugly_word" )}
> >>     # block requests not going to a specific subnet
> >>     dst_blacklist = net_filter2:{ !( any , 192.168.30.0/255.255.255.0 ,
> >> 0 , "" )}
> >>
> >> a rule is defined by:
> >>     protocol : TCP, UDP, TLS or "any" for anything
> >>     port : number or 0 for any
> >>     ip/mask
> >>     test patter - is a filename like matching (see  "man 3 fnmatch")
> >> applied on the outgoing request buffer (first_line+hdrs+body)
> >>
> >>  From routing script, you can use the use_blacklist("name") function to
> >> select what blacklist to be applied for the current request. More than
> >> one list can be selected.
> >>
> >> If the destination address matches on of the selected rules, the send
> >> will fail.
> >>
> >>
> >> 2) via DNS
> >>
> >> The DNS resolver, when configured with failover, can automatically store
> >> in a temporary blacklist the failed destinations. This will prevent (for
> >> a limited period of time) openser to send requests to destination known
> >> as failed.
> >> So, the blacklist can be used as a memory for the DNS resolver.
> >>
> >> To use it, you have to enabled it - the rest is done automatically.
> >>     disable_dns_blacklist = no
> >>
> >> By default is enabled. The temporary blacklist created by DNS resolver
> >> is named "dns" and it is by default selected for usage (no need use the
> >> use_blacklist() function. The rules from this list have a life time of 4
> >> minutes - you can change it at compile time, from blacklists.h .
> >>
> >>
> >>
> >> To give you an internal snapshot, a new MI function - "list_blacklists"
> >> - was added to print all existent blacklists and their rules.
> >>
> >>
> >> Any suggestions/reports are welcome!
> >>
> >> regards,
> >> bogdan
> >>
> >> _______________________________________________
> >> Users mailing list
> >> Users at openser.org
> >> http://openser.org/cgi-bin/mailman/listinfo/users
> >>
> >
>
>



More information about the Devel mailing list