I have to disagree with the last post. You should most certainly block some inbound traffic. you should block ports you aren't using. If some ip addr. or particular provider have a customer trying to break your' machine you want to block the whole isp unless you are serving pages etc. you should block the router solicitation and block any other routers advertising them. i usually also block ping both ways. Every major program is full of bugs, you want to try to limit the access of others to the least amount possible consistent with the net software you are running.
Long ago i had all of china blocked, because i wasn't visiting sites there and it was where most of the attacks came from. When you have a "slow" or very busy connection to the net the incursion atempts. While not security related directly, i also like to ban the ip addr of ad bots, i suspect that when they change their' domain name or buy a new one, that the ad company doesn't get a new ip addr range. this are the servers that are most overloaded and slowest, slowing down page loads. You could even consider that this slowness from ad servers produces a DOS, assuming you don't want the information and didn't ask for it. now i just try to block the obnoxious advertisers, the people who at 3 AM will shove audio to you that's louder than the music you were/are playing. -- "Informed delivery" is just an excuse for the post office to compile data basses for sale to marketing firms and those even less reputable, it is a gross abuse of the postal systems special access to our lives. 4. Oct 2017 10:13 by flop...@gentoo.org: > On Wed, Oct 4, 2017 at 1:28 AM, Walter Dnes <> waltd...@waltdnes.org> > wrote: >> I have some doubts about massive "hosts" files for adblocking. I >> downloaded one that listed 13,148 sites. I fed them through a script >> that called "host" for each entry, and saved the output to a text file. >> The result was 1,059 addresses. Note that some adservers have multiple >> IP address entries for the same name. A back-of-the-envelope analysis >> is that close to 95% of the entries in the large host file are invalid, >> amd return "not found: 3(NXDOMAIN)". >> >> I'm not here to trash the people compiling the lists; the problem is >> that hosts files are the wrong tool for the job. Advertisers know about >> hosts files and deliberately generate random subdomain names with short >> lifetimes to invalidate the hosts files. Every week the sites are >> probably mostly renamed. Further analysis of the 1,059 addresses show >> 810 unique entries, i.e. 249 duplicates. It gets even better. 44 >> addresses show up in 52.84.146.xxx; I should probably block the entire >> /24 with one entry. There are multiple similar occurences, which could >> be aggregated into small CIDRs. So the number of blocking rules is >> greatly reduced. >> >> I'm not a deep networking expert. My question is whether I'm better >> off adding iptables reject/drop rules or "reject routes", e.g... >> >> route add -net 10.0.0.0 netmask 255.0.0.0 metric 1024 reject >> >> (an example from the "route" man page). iptables rules have to be >> duplicated coming and going to catch inbound and outbound traffic. A >> reject route only needs to be entered once. This excercise is intended >> to block web adservers, so another question is how web browsers react to >> route versus iptables blocking. > > Using the routing table feels dirty. > > I don't see any reason to create "inbound" (INPUT) iptables rules. You > really only care about rejecting the initial outbound request to the > web server. > > If this is for a single host with iptables running locally, add rules > to the OUTPUT chain. If this is on a router, add them to the FORWARD > chain.
