Dave McGuire writes:
then setup fail2ban to manage extrafields
Now that's a very interesting idea, thank you! I will investigate this.
If you don't expect yor firewall to handle 45K+ IPs, I'm not how you expect dovecot will handle a comma separated string with 45K+ entries any better.
My firewall can handle that without breaking a sweat. I just haven't found a way (that I'm comfortable with) to automatically inject rules into it from a machine on the network.
Doing it via a DNSBL is an elegant solution to the problem, IMO.
I'm agnostic as far as which method you want to use. All I'm saying is that using dovecot's allow_net facility is as difficult, if not more so, than letting your firewall handle it.
Joseph Tam <jtam.home@gmail.com>
On 03/02/2015 09:41 PM, Joseph Tam wrote:
then setup fail2ban to manage extrafields
Now that's a very interesting idea, thank you! I will investigate this.
If you don't expect yor firewall to handle 45K+ IPs, I'm not how you expect dovecot will handle a comma separated string with 45K+ entries any better.
My firewall can handle that without breaking a sweat. I just haven't found a way (that I'm comfortable with) to automatically inject rules into it from a machine on the network.
Doing it via a DNSBL is an elegant solution to the problem, IMO.
I'm agnostic as far as which method you want to use. All I'm saying is that using dovecot's allow_net facility is as difficult, if not more so, than letting your firewall handle it.
I'm not disagreeing with you. As I stated above, getting new rules into my firewall in an automated way is not something I've found a good way to do yet. Granted, it has been a couple of years since I've googled around to see if anyone has been able to do it in a reasonably secure way. (Perhaps it's time for me to revisit that.)
-Dave-- Dave McGuire, AK4HZ/3 New Kensington, PA
Am 03.03.2015 um 12:40 schrieb Dave McGuire:
On 03/02/2015 09:41 PM, Joseph Tam wrote:
then setup fail2ban to manage extrafields
Now that's a very interesting idea, thank you! I will investigate this.
If you don't expect yor firewall to handle 45K+ IPs, I'm not how you expect dovecot will handle a comma separated string with 45K+ entries any better.
My firewall can handle that without breaking a sweat. I just haven't found a way (that I'm comfortable with) to automatically inject rules into it from a machine on the network.
Doing it via a DNSBL is an elegant solution to the problem, IMO.
I'm agnostic as far as which method you want to use. All I'm saying is that using dovecot's allow_net facility is as difficult, if not more so, than letting your firewall handle it.
I'm not disagreeing with you. As I stated above, getting new rules into my firewall in an automated way is not something I've found a good way to do yet. Granted, it has been a couple of years since I've googled around to see if anyone has been able to do it in a reasonably secure way. (Perhaps it's time for me to revisit that.)
I did a quick hack for exactly this purpose - send offending IPs from my mail server to the firewall "in a secure way". Its a python script that uses the fail2ban syntax on the one end and feeds a (patched) pfSense on the other end. You can find the scripts on github: https://github.com/oliwel/fail2sense - be warned, its a first draft - but it does the job here...For the unblock feature you need this patch against pfsense https://github.com/pfsense/pfsense/pull/1444/
Oli
-- Protect your environment - close windows and adopt a penguin!
Am 03.03.2015 um 22:31 schrieb Oliver Welter:
I did a quick hack for exactly this purpose - send offending IPs from my mail server to the firewall "in a secure way". Its a python script that uses the fail2ban syntax on the one end and feeds a (patched) pfSense on the other end. You can find the scripts on github: https://github.com/oliwel/fail2sense - be warned, its a first draft - but it does the job here...For the unblock feature you need this patch against pfsense https://github.com/pfsense/pfsense/pull/1444/
the problem is the "in a secure way"
that's not really possible when you mangle firewall rules which implies root permissions - as RBL request is just a DNS request which don't need *any* permissions on the machine which does the request
the other problem is mangle firewall rules in context of existing infrastructures is error prone - you may interfere existing rulesets - it's a bad idea to start with
participants (4)
-
Dave McGuire
-
Joseph Tam
-
Oliver Welter
-
Reindl Harald