Re: wanted: cyveillance IP address blocks
From: Ken (ng3122_at_ke9nr.#nospam#.net.invalid)
Date: 04/30/05
- Previous message: optikl: "Re: Configuring Firewall"
- In reply to: Moe Trin: "Re: wanted: cyveillance IP address blocks"
- Next in thread: Casey: "Re: wanted: cyveillance IP address blocks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 29 Apr 2005 20:48:08 -0700
Hi -
On Fri, 29 Apr 2005 19:38:52 -0500, ibuprofin@painkiller.example.tld
(Moe Trin) wrote:
>The only reason I suggest the larger block sizes is that it minimizes
>the number of rules - which reduces the cost in CPU cycles.
I do compress the router rules. Not just 200/7; anytime I have
adjacent rules, even if they are totally unrelated, that can be merged
together, I do so (assuming I notice it).
>Actually, ARIN
>and AFRINIC are also assigning out of 200/8 (200.16.8/21 is in South Africa
>to my surprise - and there are 15 blocks "assigned" or "allocated" to the
>US though most are probably for customers in Central/South America).
I've yet to actually see any AfriNIC allocations even though they've
been an official RIR for three weeks. I expect to treat them like
LACNIC.
>There are some people who use 'shotgun' rules (blunderbuss would be a more
>appropriate description) to block "all of APNIC and LACNIC" using just eight
>rules (58/7, 60/7, 124/7, 126/8, 200/6, 210/7, 218/7, 220/6 - overlooking the
>many other blocks in 128/2 and 192/3 in the "Various Registries" category),
>or that 24.0.0.0 has allocations in .ar, .bs, .cl, and .nl (and used-to-was
>in .au).
I do that with LACNIC. Not with APNIC only because of AU and NZ.
Where there are few enough AU and NZ blocks in a /8, I create
exceptions, then block the /8. (Using an iptables user chain with
RETURN for the exceptions ahead of the REJECT for the /8.)
I know there are some U.S. companies with IP address allocations from
APNIC. I do *not* make any holes for those blocks and won't unless
specifically requested.
This is my router and server for my personal websites and personal
email, so I can be as much of a hard-ass as I want! <G> If I were
ever to put up a commercial website that could involve email as part
of the business, I'd definitely have to make some changes.
-- Ken http://www.ke9nr.net/
- Previous message: optikl: "Re: Configuring Firewall"
- In reply to: Moe Trin: "Re: wanted: cyveillance IP address blocks"
- Next in thread: Casey: "Re: wanted: cyveillance IP address blocks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
