Re: Country by Country ISA Computer Sets

[The Fungi <fungi () yuggoth org>]

On Mon, Jan 14, 2008 at 02:20:50PM -0800, Thor (Hammer of God) wrote:
[...]
> First thing I found out was that if one does decide to block
> entire countries, that it's going to be a bit of work from a rule
> standpoint.

Not at all, if you have the ability to integrate DNS lookups into
your filtering process (coupled with a DNS cache running locally on
the firewall, this should not be particularly demanding on your
resources). This problem has already been solved by people wanting
to weight scores for incoming E-mail from mailservers in different
geographic regions. One of the more popular free geographic DNS
lookup services is described at http://countries.nerd.dk/ (and
Jacobsen makes updated versions of his DNS zone data available for
download in case you want to host your own copy instead of relying
on someone else's nameservers).

> Sure, if I wanted to block all of China I could block APNIC, but
> that would block WAY more than I would want.
[...]

In my professional life, I see frequent requests of this nature from
customers in western/English-speaking countries. My immediate
response is, "you *are* aware that Australia and New Zealand are
part of APNIC, right?"
-- 
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi () yuggoth org); IRC(fungi () irc yuggoth org#ccl); ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi () yuggoth org);
MUD(fungi () katarsis mudpy org:6669); WWW(http://fungi.yuggoth.org/); }