Permalink
Browse files

Adds support for an allow list to the rdns.regexp plugin.

  • Loading branch information...
1 parent 1c47630 commit 6c6f4f15b8618ca85d76d712c3646e1e40b91e0a @godsflaw godsflaw committed Aug 18, 2011
No changes.
View
No changes.
@@ -2,11 +2,26 @@ rdns.regexp
===========
This plugin checks the reverse-DNS against a list of regular expressions. Any
-matches will result in a rejection.
+matches will result in a rejection, unless there is an allow rule to
+balance off broad regexes.
+
+To give an example. Assume we add a rule to deny all hosts with dynamic
+in the rDNS hostname (.*dynamic.*). Now we find a mail server,
+generaldynamics.com that is clearly a false positive. We could try
+to correct the original regex (clearly it is a poorly written regex), or
+we could add an allow rule for generaldynamics.com (.*generaldynamics\.com$).
+This means that even though the dynamic block rule matches, it will be
+superseded by the allow rule for generaldynamics.com.
Configuration
-------------
* rdns.deny_regexps
- The list of regular expressions to apply.
+ The list of regular expressions to deny. Over broad regexes in this list
+ can be corrected by using the allow list.
+
+* rdns.allow_regexps
+
+ The list of regular expressions to allow. This list is always processed
+ in favor of rules in the deny file.
View
@@ -1,14 +1,25 @@
// check rdns against list of regexps
exports.hook_connect = function (next, connection) {
- var re_list = this.config.get('rdns.deny_regexps', 'list');
+ var deny_list = this.config.get('rdns.deny_regexps', 'list');
+ var allow_list = this.config.get('rdns.allow_regexps', 'list');
- for (var i=0,l=re_list.length; i < l; i++) {
- var re = new RegExp(re_list[i]);
+ for (var i=0,l=deny_list.length; i < l; i++) {
+ var re = new RegExp(deny_list[i]);
if (re.test(connection.remote_host)) {
- this.loginfo("rdns matched: " + re_list[i] + ", blocking");
+ for (var i=0,l=allow_list.length; i < l; i++) {
+ var re = new RegExp(allow_list[i]);
+ if (re.test(connection.remote_host)) {
+ this.loginfo("rdns matched: " + allow_list[i] +
+ ", allowing");
+ return next();
+ }
+ }
+
+ this.loginfo("rdns matched: " + deny_list[i] + ", blocking");
return next(DENY, "Connection from a known bad host");
}
}
+
return next();
};

0 comments on commit 6c6f4f1

Please sign in to comment.