# ipfw question (filtering domains)



## Zeus (Jan 15, 2006)

Hi all,
is it possible to filter access to a service to all .com or .org domans using ipfw ??
if yes how to do it?

thanks in advance


----------



## lurk (Jan 16, 2006)

No it is not.  The filtering takes place on the level of IP Addresses like 12.23.45.067 after the domain name has been resolved.  You can use names like www.example.com in a rule but all that happens is that the name is looked up and then the numeric address is added.

What are you really trying to do there might be another way to accomplish your goal.


----------



## Zeus (Jan 16, 2006)

hi Lurk,
i'm trying to hardering my ssh server. 
I'm in Italy and every day i receive thousands of ssh brute force attacks.

I'd like to allow ssh only from Italian domains.

thanks.


----------



## lurk (Jan 17, 2006)

Well I am afraid that ipfw will not be of any help to you there.  The problem is that the firewall filters based on the network structure and addresses - these do not follow the political structures of the world.  

There is a parallel to the way phone numbers work, lets say you only want to take calls from people whose name starts with the letter 'S' but your caller ID only shows the number of the incoming call.  Because phone numbers are basically randomly assigned as far as the caller's name is concerned it will not do you much good to see the number.

Now how to really protect your machine.  I take it that you want to allow some SSH connections, if those are from a small enough set of trusted machines you could just allow connections from those hosts (That would have to be a much smaller set than all the machines in Italy).  Another good possibility would be to move your ssh to a non-standard port.  That can be inconvenient for some uses but it is pretty effective for preventing random connections.

Finally you have to ask yourself it you really care?  If the unwanted connection is stopped at the firewall or the SSH daemon does it matter to you?  You are using public keys to authenticate users and machines right?


----------



## bbolin (Feb 14, 2006)

Zeus said:
			
		

> hi Lurk,
> i'm trying to hardering my ssh server.
> I'm in Italy and every day i receive thousands of ssh brute force attacks.
> 
> ...



I live around Chicago IL

I experianced the same kind of attacts.  So the solution was to come up with the big isp providers in the area.

comcast
sbc

google, whois and find out there netblocks.

That put a stop to these little buggers -

descr:        Beijing 100031
country:      CN
202.108.13.91


----------

