From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1ENcow-000035-FA for garchives@archives.gentoo.org; Thu, 06 Oct 2005 20:58:30 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j96KmLm3026343; Thu, 6 Oct 2005 20:48:21 GMT Received: from irina.lenderlab.com (irina.lenderlab.com [166.70.60.148]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j96Kj28J029523 for ; Thu, 6 Oct 2005 20:45:03 GMT Received: from localhost (localhost [127.0.0.1]) by irina.lenderlab.com (Postfix) with ESMTP id 7E7EA2408AE for ; Thu, 6 Oct 2005 14:53:42 -0600 (MDT) Received: from irina.lenderlab.com ([166.70.60.148]) by localhost (irina [166.70.60.148]) (amavisd-new, port 10024) with ESMTP id 18818-01 for ; Thu, 6 Oct 2005 14:53:41 -0600 (MDT) Received: from [10.0.0.252] (unknown [166.70.156.138]) by irina.lenderlab.com (Postfix) with ESMTP id 9B3DE2408A9 for ; Thu, 6 Oct 2005 14:53:41 -0600 (MDT) Message-ID: <434590E3.5080306@lenderlab.com> Date: Thu, 06 Oct 2005 15:02:27 -0600 From: Kirk Hoganson User-Agent: Mozilla Thunderbird 1.0 (X11/20050310) X-Accept-Language: en-us, en Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 To: gentoo-security@lists.gentoo.org Subject: Re: [gentoo-security] [OT?] automatically firewalling off IPs References: <000001c5ca16$efd98b30$0200080a@SPRITE> <4344DCBD.9010804@gmail.com> <1128590158.16504.59.camel@rattus> <4344FA49.8050604@gmail.com> In-Reply-To: <4344FA49.8050604@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new at lenderlab.com X-Archives-Salt: 755d3965-334b-46b0-a2a1-c49a4da9b081 X-Archives-Hash: 34f8c4f9f8f53dd26e6200806d3a232b Matan Peled said the following: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > William Kenworthy wrote: > >>Can anyone comment whether IP spoofing (for hiding country of origin) is >>common? Seems quite unlikely - at least at the current state of things. >>Is it even possible to tell (at the firewall interface?) >> >>BillK > > > I think that for hiding country of origin by IP spoofing is quite useless, at > least on the Internet (It might work on a single subnet, or if you pretend to be > another IP in your subnet, and then switches complicate it as well...) > I think it depends on your purpose. It is easy to get around, but blocking whole ranges based on country could help cut down on the vulerability scans that can be so annoying. Our country does no business with China, yet various subnets are frequently scanned from addresses originating there. Blocking those ranges would cause most of them to move on. It is likely that you already block whole invalid subnets in your firewall rules anyway. -- gentoo-security@gentoo.org mailing list