network alias blocks more than defined

nopanic

@johnpoz
okay
thanks I attach the file.

@SteveITS yes, my own mailserver which is very secure. The ip's are blocked on firewall....

thanks!
Stefan
1_badguys_most_china_assholes.txt

nopanic

@johnpoz inthe attached file: china is beginninbg with inetnum in discription

Thanks Stefan

johnpoz

@nopanic and which specific IP is being blocked and logged that you feel is wrong?

nopanic

@johnpoz ex. the mailinglist server of debian:

;; ANSWER SECTION:
bendel.debian.org. 600 IN A 82.195.75.100

thanks
Stefan

johnpoz

@nopanic that is in your log? that 82.195.75.100 IP - just because that is what the A record and dns shows - doesn't mean that is the IP that actually sending email - please show the log where a specific IP was blocked.

there is no 82.x in that alias list you posted.

example: here are some IPs that were blocked by different rules I have with aliases

Also notice that not allowed rule is a ! rule, so the stuff it blocks would be IPs that are NOT listed in the alias/table

edit2: dude - this entry would block that

64.0.0.0/2

Which would be this huge range that 82.x falls into
64.0.0.0 - 127.255.255.255

That for sure can not be correct..

You also have a 128.0.0.0/2 which is also huge
128.0.0.0 - 191.255.255.255

I think something went wrong why does the 64/2 show this for text?

64.0.0.0/2 inetnum: 58.56.0.0 - 58.59.127.255 netname:

These don't seem correct for sure

edit3: just a quick scan, and you have lots of them in there that are way to big for what the text says it should be blocking

27.115.0.0/17 inetnum: 27.115.5.0 - 27.115.5.7 netname:

that /17 would block all ips between 27.115.0.0 - 27.115.127.255, not just what the text says 27.115.5.0 - 27.115.5.7

edit4: another one that is just huge compared to the text

36.192.0.0/11 inetnum: 36.212.0.0 - 36.215.255.255 netname:

36.192/11 would block 36.192.0.0 - 36.223.255.255, not that 36.212-215 range. If you wanted to block 36.212 to 36.215 that would be a 36.212.0.0/14 mask. not a 36.192/11

nopanic

@johnpoz ahh okay thanks!!!

I attach the screenshot of the block:
fw-rule-blocking network-alias.png

nopanic

@johnpoz

I get the inetnum from whois. ipcalc deaggrigate some nets so I have same discription ....

tia
Stefan

SteveITS

@nopanic 10.x.x.x is a private IP range...?

johnpoz

@nopanic you might want to start over - there is a lot of wrong stuff in there for sure

8.0.0.0/8 net 8 Alibaba Cloud

Not sure how that is Alibaba Cloud, the 8/8 is owned by multiple different companies.

NetRange:       8.0.0.0 - 8.8.3.255
CIDR:           8.0.0.0/13, 8.8.0.0/22
Organization:   Level 3 Parent, LLC (LPL-141)

I show

inetnum:        8.128.0.0 - 8.159.255.255
netname:        ALICLOUD

So you can not block 8/8 without blocking a whole bunch of stuff you prob don't want to block.

edit: If you are wanting to block whole countries, etc. you might want to look into pfblocker as someone else mentioned.. It allows you to create aliases based on countries - so you could block china and korea, etc. etc..

johnpoz

@nopanic however your creating these netblocks - your blocking way more than just the netblock of the bad guy.. I mean that 64.0.0.0/2 is a HUGE amount of addresses - HUGE!!

nopanic

@johnpoz super!
you helped my a lot.I will have a look to pfblocker and I check the alias again.

Thanks for help!
Stefan