Quote:
Originally Posted by tronayne
Here's the way I do it...
|
I don't want to deny that your post was an interesting read, but the OP seems to have been asking for something rather different; the request seems roughly to be for a system which can dynamically add to a whitelist, rather than manage a large-ish blacklist.
Of course, I'm going to add my two-penny worth by not giving the OP a directly usable approach, either
Firstly, the problem with a lot of these whitelist/blacklist approaches is that it easy to build-in a need to do lots of look-ups whenever a new connection comes in, and that way build in a vulnerability to DoS/DDoS attacks. This is not a good thing and needs to be examined in context to see how serious it could be. Having said that, something like
denyhosts seems to take a broadly sensible approach (but is intended for blocking the outside world trying to get in, rather than the other way around).
What the OP is asking for, in most cases (and there will be cases in which this won't work, but we don't have details) is dealt with by allowing addresses or address ranges; this does not need any dynamic building of lists of allowable addresses for internet access (eg, allowing 192.168.0.0/24), but it doesn't dynamically block any addresses in that range.
You have to ask 'What is the risk that I am trying to protect against?' It seems that this looser approach could allow someone within your own network to have internet access at a time at which you didn't want this to happen. Is this a big problem? (Maybe, it is if you know that you have to have insecure wireless within your network, that outsiders can access.)
I think if I just wanted to allow groups within my organisation to have access at certain times and not at others, I'd be using squid for access control (and using iptables to ensure that packets have to funnel through squid, rather than be able to go around squid by fiddling with network settings).
@Ammad
Quote:
...to which i want to allow Internet...
|
Do you really mean that you want to block all internet access, or just HTTP/HTTPS, and FTP, for example?