Forums

Resolved
0 votes
I have thought for some time that country blocking for IPV4 could be a security boon. You could literally nip probably at least 50% of the garbage out there in the bud by just straight up dropping traffic from countries you know have no business communicating with you at an IP level. And because you could stop even initial scans and fact finding bots you would stop deeper scans that would end up being more targeted for your network. So the effect is exponential.

Of course the subnet lists are out there but the obvious issues are 2 fold. Generally speaking few of the 10's of thousands of subnets some of the countries have are contiguous. The second issue is based on the first. Without what would be weeks of summarizing subnets your subnet list is so large you would choke to death anything but a large hardware based firewall. Even if you subnet (I think I did a few of the smaller countries) the list is still too large.

I tried reverse phycology on the issue once and thought maybe allowing only the US would be far easier and shorter. I was quickly surprised to find that the US by far has more subnets so doing that was just as bad or worse.

I did give it a shot once with ClearOS and tried blocking Russia or China (forget which) and the 16,000 lines of additional iptables rules torched my install so bad I ended up rebuilding it. Soon as iptables loaded it would torch itself.



My very long winded point is that if ClearOS could add an option where lets say you could select from a prebuilt list of the most common countries to selectively block or allow you would REALLY have something on your hands. The problem in my mind to get past is I cannot see IPtables handling that sort of load even on a high powered machine/server under normal circumstances. A different method would have to be devised in my opinion but you guys would know better than me. I just would love to have the functionality.

Just some food for thought.

Thanks,
Donnie
Sunday, February 24 2013, 03:30 AM
Share this post:
Responses (0)
  • There are no replies here yet.
Your Reply