Re: [exim] IPTables Whitelisting

Mike Cardwell wrote:
> * on the Tue, May 01, 2007 at 05:53:45AM +0100, Peter Bowyer wrote:
>
>
>>> "man iptables" and look for QUEUE. Then go to cpan.org and look at
>>> IPTables::IPv4::IPQueue. This will allow you to knock up a user space
>>> perl script to decide what to do with packets by talking to your db in
>>> real time.
>>>
>> Ah, now I looked into this a while back when Marc first talked about
>> this technique. I investigated this method of controlling IPTables and
>> came to the conclusion that it wouldn't do the job - once a packet has
>> arrived in the userspace queue it's already been accepted - all you
>> can do with it is drop it or carry on processing it, you can't reject
>> it. You can't simulate 'nothing listening on this port'. So it's not
>> suitable for the application Marc wants it for.
>>
>> At least, that's how I read the documentation. I have been known to be
>> wrong (yes, really...).
>>
>
> You look to be correct. But, while dropping the packet isn't ideal, the
> overall outcome of doing that in this case is still the same as doing a
> reject surely?
>
> Mike
>

If everyone played by the rules then I could simply return a 421 on the
lowest MX but the problem is with QMail. But default QMail assumes that
if you return a 421 on your lowest MX then it assumes that all your
servers will return 421 and it doesn't retry on the higher numbered MX.
Only if the connection is dead will it try higher MX servers. I've been
on their discussion list are they actually defend it as normal.

I'm experimenting with this now basicaly generating a text file of IP
addresses and running a cron job once an hour to update the tables. I'm
scream testing it now.