Re: Country by Country ISA Computer Sets

From: The Fungi <>
Subject: Re: Country by Country ISA Computer Sets

On Mon, Jan 14, 2008 at 02:20:50PM -0800, Thor (Hammer of God) wrote:
> First thing I found out was that if one does decide to block
> entire countries, that it's going to be a bit of work from a rule
> standpoint.

Not at all, if you have the ability to integrate DNS lookups into
your filtering process (coupled with a DNS cache running locally on
the firewall, this should not be particularly demanding on your
resources). This problem has already been solved by people wanting
to weight scores for incoming E-mail from mailservers in different
geographic regions. One of the more popular free geographic DNS
lookup services is described at (and
Jacobsen makes updated versions of his DNS zone data available for
download in case you want to host your own copy instead of relying
on someone else's nameservers).

> Sure, if I wanted to block all of China I could block APNIC, but
> that would block WAY more than I would want.

In my professional life, I see frequent requests of this nature from
customers in western/English-speaking countries. My immediate
response is, "you *are* aware that Australia and New Zealand are
part of APNIC, right?"
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(; IRC(; ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(;
MUD(; WWW(; }

Copyright © 1995-2020 All rights reserved.