|
|||
Server Access
Hi Folks
(newbee question) We are running OpenBsd Ver 5.0 and the Apache server that came with it. We have our business/system running on a public static ip. The server supports a static website with no email, sql, web finance etc, type features. This server is not used for any other purpose than supporting a non interactive static web-page. That being said we still get alot of traffic from locations that simply waste server resourses. We do not need to service IP's from other countries, or distant geographical arear.s. Is it practical?, desireable, good policy to BLOCK ip addresses from countries, or geographic arear's to utilize server resourses more efficiently as our type of business is very local. If SO, SHOULD it be done in "etc/pf.conf" using a <table> or Apache using The "Order Allow,Deny directives"? Advice and information appreciated. thanks in advance. Last edited by frcc; 22nd June 2013 at 09:46 PM. |
|
|||
Server Access
I do like supporting OpenBsd so i guess i will make a call to Canada and order
the latest...Thanks for the remind!!!!! One more question,,,concerning the original post,,,,in this situation is it normal practice, or good practice, or a practical justified concern of mine to want to filter such a huge block of ip's. To me it might seeem a little overkill to filer all ip address with the exception of US to simply reduce some server ticks. Since the web page is simply static, with no company resourses on it to muck with, and seperated from the other servers, am i being penny wise and pound folish? OpenBsd pf is handling traffic easily, it is simply a nusense to continue to id traffic from China, Singapore,E Germany, Russia, S Africa etc in tcpdump and whois as an aggrevation in attempting to keep the system clean and not a nusense to its neighbors. |
|
|||
Quote:
As for whether you should hardcode IP ranges into pf.conf, that is your choice. pf(4) allows tables of IP addresses to be modified, see the following for more details:This assumes you are running OpenBSD 5.3. |
|
|||
Server Access
yep got it.
thanks |
|
|||
Server Access
A little feedback.....
Created a <table> for us ip's only in pf.conf (size approx 3.0M Scheez!) Increased hard limits in pf.conf watching the traffic! I think limiting traffic from US ip's only, makes sense for "MY/OUR" situatioin. We will see after the logs start to grow..... pf handles this size table very quickly no noticeable delays ps using Ver 5.0 Last edited by frcc; 23rd June 2013 at 03:55 AM. |
|
|||
Note that OpenBSD 5.0 was released 1 November 2011, & no longer is officially supported as of the release of OpenBSD 5.2. The current release is OpenBSD 5.3 which was released 1 May 2013.
|
|
|||
Some feedback for this post.
We have been filtering foreign ip's for approx (3) weeks. We are running (10) virtual hosts on Ver 5.3 +Apache (chrooted) All dealing with a simple sevice business spanning several counties in our state. (no e-commerce, sql, email, nada, simply text and pics) As a new administrator I didn't want to develope the websites all over again following a hack etc. To make it short and sweet I have many very experienced friends and associates with far more formal and practical knowledge with web developement and administration. I won 't bore you wth their stories. Suffice it to say REASON # 1 why i use OpenBSD. Following filtering foreign ip's (pf.conf) using <table> instantly filters approx 79-80% of traffic. Table size being filtered contains 3 meg or about (who knows) how many ip address's. You don't notice any lag in webspeed. Since our business has absolutely no reason to cater to anyone outside our immediate countywide area it was a good move **[for us]** and especially me, as i can spend time learning OpenBSD instead of re-installing it. Thankyou! OpenBSD developers! Last edited by frcc; 12th August 2013 at 03:37 AM. |
|
||||
Quote:
# pfctl -t mytable -T show | wc -l If the entries include CIDR blocks, you'd have to do a little more work to count unique addresses. Quote:
|
|
|||
server access
looks like 169968 (usip's) using pfctl -t mytable -T show | wc -l
so in pf.conf i coded to block all, but, pass from that table (when filtering for p:80) I wonder if the number 169968 includes (all) because the list contains many domains with a "/"xx (yes the entries DO include CIDR blocks so yes there is much more) ----Comment----- I'm sure the developers don't need a thankyou from me because I think they code OpenBSD for themselves first, with the rest of us riding along. I am sure some of them like to hear a "job well done" from the broader user community every now and then. Certainly when I purchase the next reeleae CD they will indirectly. thanks all |
|
||||
The wc(1) program -l option just counts lines of output. If you want to count addresses you will have to parse the CIDR addresses and convert to them to address counts.
e.g: 10.10.10.0/24 is 254 addressable devices, plus two reserved addresses for network and broadcast. 0.0.0.0/0 is 4,294,967,294 addresses plus the two reserved addresses. |
|
|||
Yes, so that number is very much larger as almost all entries are CIDR.
thanks |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
DVD access | zazen | OpenBSD General | 11 | 4th June 2009 03:28 PM |
Sun Java System Web Server - Active Server Pages (yes ASP) | hopla | FreeBSD General | 0 | 26th September 2008 08:22 AM |
pf allow ftp access | ijk | FreeBSD Security | 9 | 25th August 2008 04:12 AM |
Remote Access to File Server | Oko | OpenBSD Security | 7 | 23rd June 2008 05:17 PM |
CD Access in KDE | Scott | FreeBSD General | 10 | 13th May 2008 05:48 AM |