Blocking non-icelandic traffic

Since IOS 12.4(20)T the object-group network command has been introduced outside of the ASA family.

And since rix.is holds out a list of icelandic subnets i got the idea to open access to various services only to icelanders :)

The idea isn't new but i hope the scripts i created with the help of my dear friend Jón Rúnar will help someone out there.

What we have is very basic stuff, we have a shell script run by cron on a CentOS box that executes wget to grab the list from RIX, a python script to edit the text file so that an ASA/Cisco IOS can use the list, and then an expect script to update the list on the device.

bash script

here we have two branches depending on your platform:

edit the subnet list from RIX for ASA input
expect script for ASA

edit the subnet list from RIX for Cisco IOS input
expect script for Cisco IOS

I'll explain the scripts and such better in a later edit :)

Comments

Post a Comment

Popular posts from this blog

Lægra ping innlendrar umferðar á OpenVPN.is tengingu!

Hér á eftir fylgir scripta sem tryggir að öll innlennd netumferð fari beint út gegnum ISP'ann ykkar í stað þess að taka krókaleið gegnum tunnel netsamskipta/openvpn.is UnZippa í My Documents: https://dl.dropbox.com/u/66544/is-net-routes.zip Keyra í run (windows takkinn+R): schtasks /create /ru %username% /tn is-net-routes /xml %userprofile%\Documents\is-net-routes\is-net-routes.xml Þetta virkar á windows 7 x64 professional. Ef schtasks skipunin virkar ekki á ykkar vél þá dugar að búa sjálfir til scheduled task sem keyrir við logon notanda og framkvæmir þessar aðgerðir í röð: powershell.exe -command {$client = new-object System.Net.WebClient;$client.DownloadFile('http://www.rix.is/is-net.txt',$env:temp+'\is-net.txt')} %userprofile%\Documents\is-net-routes\is-net-routes.bat Ef allt gengur vel mæli ég með að breyta nafnaþjónunum sem uppsettir eru á tunnel adapter OpenVPN.is yfir í nafnaþjóna ykkar ISP Hægt er t.d. að sjá með tracert mbl.is eftir uppse...
Read more

Umbraco Dictionary Key Performance

I've re cently had the task of optimizing a clients website. On my tour of the site i noticed an instance where 20-30 dictionary keys are requested in succession for a single view. I decided to do some performance testing and find out how quickly the action is performed before and after caching. I made 25 keys in the backoffice with naming following this scheme "key0", "key1" and so on. controller action: public   string  Get() {      StringBuilder  sb  =   new   StringBuilder ();      var  timer  =   new   Stopwatch ();     timer . Start();      for  ( var  x  =   0 ; x  <   25 ; x ++ )         Umbraco . GetDictionaryValue( "key"   +  x);     timer . Stop();      return  timer . ElapsedMilliseconds...
Read more

New links, new version and additions

Alright, so it seems inetpro.org is down atm and i'm not even sure they still have my scripts hosted so here are new links, new version and additions to my python network management scripts. I'm now using the excellent pexpect in most of them which you can grab from here: http://sourceforge.net/projects/pexpect/ rix.is ip filter: Edit the list from rix.is for an ASA object-group http://dl.getdropbox.com/u/66544/scripts/edit-rix-ipv4-is.py Send the edited list to the ASA http://dl.getdropbox.com/u/66544/scripts/update-ASA.py Icelandic whitelisting, much fun ;) the script that started the blog, still brilliant :D Configuration Downloader: http://dl.getdropbox.com/u/66544/scripts/dl-config.py In addition to the dl-config.py script you will need a settings file declaring the tftp host (ASA/PIX don't support scp afaik) and some other variables mentioned in the dl-config.py file itself. You will need a new-line delimited device list flat file (hostnames/ip addresses, pa...
Read more