Why you have hardware firewalls

Yes, but the vast majority of inexpensive home user routers can only block a few IP, some can block IP Ranges, and some can't block anything from a list.

Mostly liberation and freedom from oppression from corrupt, genocidal, terrorist supporting, dictators :-)

That can usually be done with many models of routers from various vendors.

What services do you provide for these foreign countries, bombing?

Wolfgang

Your firewall program still has to process all those IP addresses in order to block them so you have gained nothing. A router firewall blocks them all before they get to your computer so no processing is necessary....

FWIW, I got tired of all the attempts at hacking my exposed web site and took the shotgun approach blocking all the RIPE and APNIC networks I could identify. Things got quiet real quick. Some are on your list (marked "*"). I think this is the complete list (at least it was 5 months ago). All blocks are Class A (x.x.x.x/8).

58.0.0.0 APNIC 59.0.0.0 APNIC 60.0.0.0 APNIC 61.0.0.0 APNIC 62.0.0.0 RIPE 80.0.0.0 RIPE 81.0.0.0 RIPE 82.0.0.0 RIPE 83.0.0.0 RIPE 84.0.0.0 RIPE 85.0.0.0 RIPE 86.0.0.0 RIPE 87.0.0.0 RIPE 88.0.0.0 RIPE 124.0.0.0 APNIC 125.0.0.0 APNIC 126.0.0.0 APNIC 193.0.0.0 RIPE * 194.0.0.0 RIPE 195.0.0.0 RIPE * 202.0.0.0 APNIC * 203.0.0.0 APNIC * 210.0.0.0 APNIC * 211.0.0.0 APNIC * 212.0.0.0 RIPE * 213.0.0.0 RIPE * 217.0.0.0 RIPE * 218.0.0.0 APNIC * 219.0.0.0 APNIC * 220.0.0.0 APNIC 221.0.0.0 APNIC 222.0.0.0 APNIC

Thanks Leythos for that list, here is almost the same but i have buted in my own to. Mostley from China and the Arabic countrys.

Andersajja

12.45.203.0/24 12.98.139.0/24 12.144.182.0/24 12.219.238.0 - 12.219.239.255 59.104.0.0 - 59.105.255.255 61.78.0.0 - 61.85.255.255 61.129.112.0 - 61.129.112.255 61.185.0.0 - 61.185.255.255 80.191.45.0 - 80.191.45.255 81.215.0.0 - 81.215.255.255 84.10.0.0/16 155.48.106.0/24 168.126.0.0/16 172.184.111.203 193.251.0.0/16 193.252.0.0/16 193.253.0.0/16 195.170.192.0 - 195.170.223.255 195.174.0.0/16 195.175.16.0/20 195.58.124.0/24 200.30.203.0/24 200.193.64.75 201.243.103.0 - 201.243.103.255 202.88.186.0/24 202.131.224.0 - 202.131.255.255 203.152.22.0/24 205.251.79.0/24 207.44.194.25 210.12.231.128 - 210.12.231.255 210.71.115.0/24 210.173.37.0/24 210.201.153.0/24 211.54.40.0/25 211.75.128.0 - 211.75.255.255 211.206.0.0 - 211.211.255.255 211.172.0.0 - 211.199.255.255 212.18.57.0/24 212.150.124.0/24 212.202.178.0/24 212.27.32.0-212.27.63.255 212.64.192.0-212.64.203.255 212.64.223.160/29 212.64.223.168/29 212.9.7.0/24 213.13.26.0/24 213.85.151.0 - 213.85.151.255 213.144.176.0/24 213.171.54.0 - 213.171.55.255 213.190.213.0/24 213.228.7.0/24 213.228.8.0/24 213.241.0.0 - 213.241.127.255 216.184.97.0/24 216.76.35.0/24 217.35.103.77 217.67.187.108 - 217.67.187.111 217.118.224.0/24 217.118.225.0/24 217.118.239.0/24 217.160.110.0/24 218.67.128.0-218.69.255.255 218.69.108.0/24 218.69.148.0/24 218.76.98.0/24 218.78.0.0 - 218.83.255.255 218.111.0.0 - 218.111.255.255 218.164.28.0/24 218.252.74.0/24 219.212.4.0/24

Great - thanks for the additional networks.

I think you assumed to much - I have a WatchGuard Firebox that allows me to do a lot, including importing block lists, so, they are blocked at the firewall border device.

One other thing - Many routers, as mentioned before, have limited ability to block IP's and some can't block ranges (x.x.x.x/24), some can't block IP/ranges at all.

If the case of a firewall application - you still gain a LOT - as the packets from those ranges are blocked at the computer, BEFORE they can interact with any services running on that computer. So, even a PFW with a block list, while not optimal, is still a very good thing - it means you can expose your personal web server and still block ALL services from those ranges.

If you only work with country XYZ based people, then blocking anyone outside that area acts as a great first method to lessen exposure.

[compton ~/IP.ADDR/stats]$ wc -l [ALR]* 444 AFRINIC 10474 APNIC 36074 ARIN 1460 LACNIC 14813 RIPE 63265 total [compton ~/IP.ADDR/stats]$

There are a few of them - and they are not limited to the blocks you show from the

page. Note that

128 through 172, 188, 191, 192, 196 and 198 are listed as "Various Registries" which means possible world distribution, For an example, 134.0.0.0/8 has allocations from/for: [compton ~/IP.ADDR/stats]$ grep '.. 134' [ALR]* | cut -d' ' -f1 | sort | uniq -c | column 7 APNIC:AU 1 APNIC:KR 147 ARIN:US 1 APNIC:CN 1 APNIC:TW 1 RIPE:DE 1 APNIC:HK 8 ARIN:CA 66 RIPE:EU 3 APNIC:JP 1 ARIN:PR [compton ~/IP.ADDR/stats]$

Other /8s are similarly varied in content. Also, while ARIN is transferring non-North American allocations to the other RIRs, they still have a few out of region listings left.

[compton ~/IP.ADDR/stats]$ cut -d' ' -f1 < ARIN | sort -u | column AG BE CH ES GD IL LB NL SE VI AT BM CZ FI HK IT LC NO SG AU BS DE FR HU JM LU PL TR BB CA DO GB IE JP MX PR US [compton ~/IP.ADDR/stats]$

Actually, 124/7 and 126/8 were only allocated this past January, and only

126.0.0.0 has any allocations (all in Japan) so far. But you can shorten your list by using larger mask sizes - instead of 80/8, 81/8 ... 88.8, you can use 80/5 and so on. See RFC1878.

Old guy

I have a hardware firewall on my line here and the firewall log for the last 24 hours shows just why it is needed.

Starting at about 8PM local time a Chinese IP address 61.172.249.201, belonging to Beijing Waei Software Development, has been sending spam packets to my IP address at approximately 2 minute intervals. From 8PM last night to 9AM this morning I received just under 400 packets with another 300 to 5PM tonight all directed at ports 1026 and 1027.

I don't know if this is a case of a spammer gone crazy or a form of a denial of service attack. Either way, the firewall is dropping the packets in the bit bucket so I am clear.

I sure am glad I shelled out the cash for the firewall.

Meanwhile, to help reduce network traffic I have sent a report to snipped-for-privacy@ccert.edu.cn and snipped-for-privacy@ccert.edu.cn to see if they can stop the attacks.

Does anyone have any further suggestions?

:If you have a firewall and not just a router, you can actually start :blocking IP Ranges of countries that you don't need to allow inbound to

:12.144.182.0/24 :12.45.203.0/24 :12.98.139.0/24

Those 3 are "AT&T Worldwide" -- a bit difficult to tell where in the world they are.

:155.48.106.0/24

That one is Babson College in Mass., USA.

:172.184.111.203

Registered to AOL USA.

:205.251.79.0/24

True that's not part of USA, but it is a cable company in St. John's Newfoundland, Canada.

? Someone had 207.44.194.2x on the list. That's in Houston, Texas.

:216.76.35.0/24

Genna Corp, Miami Florida.

In article , Leythos wrote: :If you have a firewall and not just a router, you can actually start :blocking IP Ranges of countries that you don't need to allow inbound to :your network

Here is my current non-North-America table. I don't use this for blocking: it's an extract from my data tables for my enhanced 'whois'. Thus, the names after the CIDR are not intended to be country codes: they are indicators of which -registry- handles the CIDR.

The registries should be pretty obvious to anyone who does non- trivial registry lookups. The one below that is not generally known is the one noted as net.ar, the registry for which is rwhois.comsat.net.ar

24.132/14 ripe 24.232/16 lacnic 59/8 apnic 59.186/15 kr 60/8 apnic 61/8 apnic 61.192/13 jp 61.248/13 kr 61.72/13 kr 61.78/15 kr 61.80/14 kr 61.84/15 kr 61.96/12 kr 62/8 ripe 66.128.32/20 lacnic 66.60.0/18 lacnic 80/8 ripe 81/8 ripe 82/8 ripe 82.166/16 ripe 83/8 ripe 84/8 ripe 85/8 ripe 128.134/16 kr 129.142/15 ripe 129.187/16 ripe 129.217/16 ripe 129.254/16 kr 130.206/16 ripe 130.225/16 ripe 130.226/15 ripe 130.227/16 ripe 130.228/14 ripe 130.232/13 ripe 130.240/14 ripe 130.244/16 ripe 130.34/16 apnic 130.78/15 ripe 131.178/16 lacnic 132.247/16 lacnic 132.248/16 lacnic 133/8 jp 134.104/14 ripe 134.108/15 ripe 134.110/16 ripe 134.75/16 apnic 134.76/16 ripe 134.91/16 ripe 134.92/14 ripe 134.96/13 ripe 137.101/16 ripe 137.68/16 kr 139.20/14 ripe 139.223/16 apnic 139.24/14 ripe 139.28/15 ripe 140.109/16 apnic 140.110/15 apnic 140.112/16 apnic 140.116/14 apnic 140.120/13 apnic 140.128/13 apnic 140.136/15 apnic 140.138/16 apnic 141.0/10 ripe 141.223/16 kr 141.64/12 ripe 141.80/14 ripe 141.84/15 ripe 143.106/15 lacnic 143.108/16 lacnic 143.224/15 ripe 143.248/16 kr 144.130/15 apnic 144.132/14 apnic 144.136/14 apnic 144.140/16 apnic 144.16/16 apnic 144.206/16 ripe 144.213/16 apnic 144.214/16 apnic 145.224/12 ripe 145.240/13 ripe 145.248/14 ripe 145.252/15 ripe 145.254/16 ripe 146.155/16 lacnic 146.164/16 lacnic 146.188/16 ripe 146.83/16 lacnic 147.175/16 ripe 147.213/16 ripe 147.214/15 ripe 147.233/16 ripe 147.234/15 ripe 147.236/15 ripe 147.43/16 kr 147.44/15 ripe 147.46/15 kr 147.6/16 kr 147.69/16 apnic 147.86/15 ripe 147.88/15 ripe 147.91/16 ripe 148.201/16 lacnic 148.202/15 lacnic 148.204/14 lacnic 148.208/12 lacnic 148.224/12 lacnic 148.240/13 lacnic 148.248/15 lacnic 148.250/16 lacnic 148.81/16 ripe 148.82/15 ripe 149.155/16 ripe 149.156/15 ripe 149.202/15 ripe 149.204/16 ripe 149.206/15 ripe 149.208/12 ripe 149.224/12 ripe 149.240/13 ripe 149.248/14 ripe 150.145/16 ripe 150.146/16 ripe 150.150/16 apnic 150.161/16 lacnic 150.162/15 lacnic 150.164/15 lacnic 150.183/16 kr 150.185/16 lacnic 150.186/15 lacnic 150.188/15 lacnic 150.197/16 kr 150.254/16 ripe 151.1/16 ripe 151.100/16 ripe 151.16/12 ripe 151.2/15 ripe 151.3/16 ripe 151.32/11 ripe 151.4/14 ripe 151.4/15 ripe 151.64/11 ripe 151.8/13 ripe 151.81/16 ripe 151.82/16 ripe 151.9/16 ripe 151.91/16 ripe 151.92/15 ripe 151.95/16 ripe 151.96/14 ripe 152.66/16 ripe 152.74/16 lacnic 152.92/16 lacnic 152.99/16 kr 154.10/16 kr 155.230/16 kr 155.69/16 apnic 156.147/16 kr 156.17/16 ripe 156.18/16 ripe 157.197/16 kr 158.144/16 apnic 158.182/16 apnic 158.190/15 ripe 158.192/14 ripe 158.196/15 ripe 158.44/16 kr 158.49/16 ripe 158.50/16 ripe 158.75/16 ripe 159.147/16 ripe 159.148/15 ripe 159.226/16 apnic 160.216/14 ripe 160.220/16 ripe 160.44/14 ripe 160.48/12 ripe 161.122/16 kr 161.252/16 ripe 161.52/15 ripe 161.54/16 ripe 162.105/16 apnic 163.10/16 lacnic 163.121/16 ripe 163.13/16 apnic 163.14/15 apnic 163.152/16 kr 163.156/14 ripe 163.16/12 apnic 163.160/12 ripe 163.178/16 lacnic 163.180/16 kr 163.211/16 apnic 163.212/16 apnic 163.239/16 kr 163.243/16 kr 163.247/16 lacnic 163.32/16 apnic 164.0/11 ripe 164.100/16 apnic 164.124/15 apnic 164.128/12 ripe 164.160/14 apnic 164.164/16 apnic 164.32/13 ripe 164.40/16 ripe 164.41/16 lacnic 164.43/16 apnic 164.77/16 lacnic 165.132/15 apnic 165.141/16 kr 165.186/16 kr 165.194/16 kr 165.213/16 kr 165.229/16 apnic 165.240/14 apnic 165.244/16 apnic 165.246/16 apnic 165.98/16 lacnic 166.103/16 kr 166.104/16 kr 166.114/16 lacnic 166.125/16 kr 166.79/16 kr 168.115/16 apnic 168.120/16 apnic 168.126/16 kr 168.131/16 kr 168.154/16 kr 168.160/16 apnic 168.176/16 lacnic 168.187/16 ripe 168.188/16 kr 168.219/16 kr 168.243/16 lacnic 168.77/16 lacnic 168.78/16 kr 169.158/16 lacnic 169.208/12 apnic 171.16/12 ripe 171.32/15 ripe 192.106.196/23 ripe 192.114/15 ripe 192.116/15 ripe 192.118/16 ripe 192.162/16 ripe 192.164/14 ripe 192.38/16 ripe 192.71/16 ripe 193/8 ripe 194/8 ripe 195/8 ripe 198.17.117/24 ripe 200/8 lacnic 200.128/9 br 200.47.128/18 net.ar 201/8 lacnic 202/7 apnic 202.14.103/24 kr 202.14.165/24 kr 202.20.119/24 kr 202.20.128/17 kr 202.20.82/23 kr 202.20.84/23 kr 202.20.86/24 kr 202.20.99/24 kr 202.21/21 kr 202.212/14 jp 202.30/15 kr 202.6.95/24 kr 203.224/11 kr 207.248/15 lacnic 209.13/16 lacnic 209.45.0/17 lacnic 209.99.224/20 lacnic 210/7 apnic 210.100/15 kr 210.102/16 kr 210.103.0/17 kr 210.103.128/18 kr 210.103.192/19 kr 210.104/14 kr 210.108/14 kr 210.112/14 kr 210.116/14 kr 210.120/14 kr 210.124/14 kr 210.128/13 jp 210.136/13 jp 210.144/12 jp 210.160/12 jp 210.178/15 kr 210.180/14 kr 210.204/14 kr 210.216/13 kr 210.244.128/18 tw 210.59/16 tw 210.60/16 tw 210.61/16 tw 210.62/16 tw 210.63/16 tw 210.65/16 apnic 210.66/16 tw 210.67/16 tw 210.68.128/24 tw 210.68.96/24 tw 210.68.97/24 tw 210.68/16 apnic 210.69.13/24 tw 210.69.154/24 tw 210.90/15 kr 210.92/14 kr 210.96/16 kr 210.97.0/17 kr 210.97.128/18 kr 210.98/16 kr 210.99/16 kr 211.104/13 kr 211.112/13 kr 211.16/14 jp 211.168/14 kr 211.172/14 kr 211.176/12 kr 211.192/13 kr 211.200/14 kr 211.204/15 kr 211.206/15 kr 211.208/14 kr 211.212/14 kr 211.216/13 kr 211.224/15 kr 211.226/15 kr 211.228/14 kr 211.232/13 kr 211.240/12 kr 211.32/11 kr 211.8/13 jp 212/8 ripe 213/8 ripe 216.155.64/19 lacnic 216.244.128/18 lacnic 217/8 ripe 218/7 apnic 218.100/16 apnic 218.144/12 kr 218.216/13 jp 218.224/13 jp 218.232/15 kr 218.234/15 kr 218.236/14 kr 218.40/13 jp 218.48/13 kr 219.240/15 kr 219.248/13 kr 219.96/11 jp 220/8 apnic 220.72/13 kr 220.80/13 kr 221/8 apnic 221.144/12 kr 221.160/13 kr 221.168/16 kr 222/8 apnic 222.112/13 kr 222.120/15 kr 222.122/16 kr 222.96/12 kr

Thanx.

Totally understood including shortening the list by taking advantage of the netmask. For my purposes I could actually block the entire world except for a few local networks, but blocking RIPE and APNIC seems to have cast a wide enough net to significantly quiet the logs without having to spend a lot of time researching Class C or B networks.

I don't know if that particular page was my source for the blocks or if it was another page within IANA. The "Various Registries" was not noted on those nets at that time though or I would have probably omitted them from my list. I specifically targeted RIPE and APNIC.

5 months, 5 weeks ... eh. Blame it on advanced chronological disorder. It was some time in the not-too-distant past.

If it's a router, it can do routes. If it can do routes, you can route the range away. Not the same thing, I know, but it's BTN. :-)

Regards,

That seems like tossing the baby out with the bath water. I'm sure you're going to curse your decision the next time you need to download an Asus BIOS from Taiwan, or access BBC World News, or something else :-)

Regards,

The list I provided did contain additional non-country based blocks that I added when we detected masses of unwanted traffic from those network - I should have also mentioned that, sorry. Each network was checked to make sure that it didn't impact our client and our ability to reach the systems from locations in the USA (with the exceptions of the ones we deemed as blockable).

In most cases, we used VisualRoute to follow the paths to the offending IP, then checked the owner of the net-block and made a decision to block all of the foreign networks up to and including that point.

Thanks for the info.

In article , Moe Trin wrote: :[compton ~/IP.ADDR/stats]$ wc -l [ALR]* : 444 AFRINIC

I didn't think my accumulated tables had any major holes in them, but I've never encountered even a single AFRINIC in my armchair travels. Your data source appears to be much more complete than what I've scrapped together manually. Would the data you are using happen to be publically accessible?

Yea, but those countries support spamming, so your complaint won't do any good. While my Firebox II and III also block inbound like your Sonic, I have many IP addresses that expose public services, those lists help eliminate problems from those countries without me needing to do anything else. Before I blocked some of them I could watch lamers trying to crack the FTP accounts (we don't allow unsecured FTP)... now they don't make it past the firewall.

I think you misunderstand the block lists - those are inbound blocks, not outbound - this means you can still connect outbound to those countries, but they can't connect inbound.