[Users] NEW FEATURE: IP blacklists

Bogdan-Andrei Iancu bogdan at voice-system.ro
Tue Jan 30 18:12:07 CET 2007


Hi everybody,

OpenSER 1.2.0 has new feature - IP Blacklist support. This is a low 
level filtering engine for the outgoing requests; low level, because the 
filtering is done based on IP, protocol, port, etc.
Its primary purposes will be to prevent sending requests to critical IPs 
(like GWs) due DNS or to avoid sending to destinations that are known to 
be unavailable (temporary or permanent).

Because of flexibility concerns, the filtering rules can be groups 
inside multiple lists.

A rule:
  - matches based on IP/mask, proto, port and text pattern criteria
  - can be reversed applied

A list:
  - can be read-only - it does not change during execution
  - have timeout per elements - elements expires after a configured timeout.


How to use:
===========

currently there are 2 ways of using the blacklists:

1) statically defining list in the configuration file and selecting 
which ones should be used for each request.

You can define blacklists as follow:
    # filter out requests going to ips of my gws
    dst_blacklist = gw:{( tcp , 192.168.2.100 , 5060 , "" ),( any , 
192.168.2.101 , 0 , "" )}
    # block requests going to "evil" networks
    dst_blacklist = net_filter:{ ( any , 192.168.1.100/255.255.255.0 , 0 
, "" )}
    # block message requests with nasty words
    dst_blacklist = msg_filter:{ ( any , 192.168.20.0/255.255.255.0 , 0 
, "MESSAGE*ugly_word" )}  
    # block requests not going to a specific subnet
    dst_blacklist = net_filter2:{ !( any , 192.168.30.0/255.255.255.0 , 
0 , "" )}  

a rule is defined by:
    protocol : TCP, UDP, TLS or "any" for anything
    port : number or 0 for any
    ip/mask
    test patter - is a filename like matching (see  "man 3 fnmatch") 
applied on the outgoing request buffer (first_line+hdrs+body)

 From routing script, you can use the use_blacklist("name") function to 
select what blacklist to be applied for the current request. More than 
one list can be selected.

If the destination address matches on of the selected rules, the send 
will fail.


2) via DNS

The DNS resolver, when configured with failover, can automatically store 
in a temporary blacklist the failed destinations. This will prevent (for 
a limited period of time) openser to send requests to destination known 
as failed.
So, the blacklist can be used as a memory for the DNS resolver.

To use it, you have to enabled it - the rest is done automatically.
    disable_dns_blacklist = no

By default is enabled. The temporary blacklist created by DNS resolver 
is named "dns" and it is by default selected for usage (no need use the 
use_blacklist() function. The rules from this list have a life time of 4 
minutes - you can change it at compile time, from blacklists.h .



To give you an internal snapshot, a new MI function - "list_blacklists" 
- was added to print all existent blacklists and their rules.


Any suggestions/reports are welcome!

regards,
bogdan




More information about the Users mailing list