On Mon, 17 Apr 2017, suse@a-domani.nl wrote:
suse@a-domani.nl wrote:
In my firewall I examine all unexpected traffic, there for I end added lines for all existing countries, like:
Hi Hans, Wouldn't it be simpler to specify the countries you are willing to accept and block all other traffic without specifying the country.
Does that mean there are "other countries", or that there are subnets not defined within the package xtables-geoip-2016.09-71.2.noarch.rpm
...
On 2017-04-12 18:34, Per Jessen wrote:
Yes, that is due to incorrect or missing whois information for the subnets involved. Or that wherever xtables gets the information is flawed or outdated.
The subnets change all the time. To get up-to-date data you need to go to a subscription service. A 2016 rpm which may have been using 6 month old data is way out of date.
As no-one else responded, it seems that this knowledge is not wide spread (one way of looking at it :-) But is this something that (end-)users could/should take care of?
It seems to me that geoip is re-inventing the wheel. Blocking country CC by subnet is best done by taking country subnet specifications from say ipverse.net/ipblocks/data/countries/CC.zone and loading them into hash:net ipsets. Performance is O(1). Can geoip do better? Note that if you modify SuSEfirewall2 you are going outside what opensuse supports. You are on your own. Roger -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org