Thread: Server Access
View Single Post
  #4   (View Single Post)  
Old 23rd June 2013
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 3,318
Default

Quote:
Originally Posted by frcc View Post
...in this situation is it
normal practice, or good practice, or a practical justified concern of mine to want
to filter such a huge block of ip's. To me it might seeem a little overkill
to filer all ip address with the exception of US to simply reduce some
server ticks. Since the web page is simply static, with no company resourses
on it to muck with, and seperated from the other servers, am i being penny wise
and pound folish?
The answer depends upon what is your ultimate goal. If you don't care whether some countries can access your server or not, filter them out. A collateral question which only you can answer is whether you want to revisit this matter later. If you want to experiment,
  1. measure the unfiltered load
  2. tighten your access
  3. measure the filtered load
By experimenting with access, you will have hard data in which to decide whether or not you want to further filter. Your other choice is to implement access rules once, & be done with it. We cannot give you a definitive answer as to what you should do since we don't really know what is your ultimate goal.

As for whether you should hardcode IP ranges into pf.conf, that is your choice. pf(4) allows tables of IP addresses to be modified, see the following for more details:This assumes you are running OpenBSD 5.3.
Reply With Quote