"Michael Orlitzky" <mich...@orlitzky.com> wrote:
>On 09/24/10 10:41, Stan Hoeppner wrote: >> Sahil Tandon put forth on 9/24/2010 7:12 AM: >>> On Fri, 2010-09-24 at 05:31:15 -0500, Stan Hoeppner wrote: >>> >>>> Michael Orlitzky put forth on 9/23/2010 8:37 PM: >>>> >>>>> # sutton-partners.com >>>>> /^64\.191\.79\.245$/ public_rbls >>>>> >>>>> # mabel.ca >>>>> /^70\.38\.108\.42$/ public_rbls >>>>> >>>>> # dsnews.com >>>>> /^209\.172\.40\.21[157]$/ public_rbls >>>> >>>> Should the carat and dollar be there? I just did some tests with >>>> >>>> unknown[64.191.79.245] >>>> sutton-partners.com[64.191.79.245] >>> >>> These aren't the input strings. See access(5) ... >> >> "REGULAR EXPRESSION TABLES >> ...Depending on the application, that string is an entire client >> hostname, an entire client IP address, or an entire mail address." >> >> The application check_client_access does both hostname and IP address >> lookups. So is the pcre table queried twice in this case, once for >> hostname and once for IP address? >> > >It would be if the hostname 'unknown' doesn't match something. You can >actually see the order that the queries get sent to the map if you turn >on debug logging (it's not just for getting yelled at on the ML!). > >The biggest problem I would have with keeping the regular expression map >is that, since the hostname is checked first, someone could switch his >hostname to 64.191.79.245.example.com and bypass my blacklist check. I >might be able to do it with a more complicated regex, but why? The catch-all I suggested earlier would still be safe. -- Noel Jones > >Anyway -- thanks everyone for the help -- I switched to a CIDR map last >night and it's working correctly today.