You gotta fight for your right to filter

A packet filter filters packets: the experts all say there isn't much more to it than that. But they're wrong.

It's a common belief that a good filter will allow or deny a packet based on a combination of the IP address and port. This way, you can block all traffic to, say, port 25 and consider the matter settled. But what if, just on a lark, you aren't interested in ports? What if you just plain don't want certain people connecting to your system? I'd never considered explicitly denying certain IP ranges, other than the standard list of bogons.

Then I caught a mention on a recent episode of The Screen Savers about a packet filter called ProtoWall. ProtoWall is not a firewall: it does not block all packets, it only blocks all packets that match an exact IP address. You can specify a number of IP addresses to block, and ProtoWall blocks them. The catch is that ProtoWall is very good at handling very large quantities of IP addresses without seriously degrading system performance. ProtoWall runs on your Windows machine, behind your XP firewall, and picks the blacklisted IPs out of the stream. Couldn't you just set up a table in pf? Yes and no. There are a lot of addresses.

Right now I have 2,529,283,916 addresses blacklisted and there is no noticeable lag. ProtoWall gets its blacklist from Blocklist Manager, a program that collects, collates, and if necessary converts into a number of different formats, lists of addresses from around the Internet. So far, my system can't handle converting the 2.5 billion addresses into a CIDR list suitable for incorporation into a pf table. But I'm working on it. [Eleven hours of crunching on a Pentium III 500MHz didn't do the trick, so it's time to try some bigger guns. If the fastest PC I can get my hands on can't do it in a day or two, I'm going to have to write my own IP address parser in C. Yuck.]

You have to be careful about this, because you're turning control over what's a "good IP" and what's a "bad IP" to strangers whose opinions are decidedly different from your own. It's time to use the enigmatic pronoun "they". "They" have done the legwork, and have determined, say, most of Vivendi Universal's IP ranges. The office of the CIO of Vivendi has established that their company will own some 32-bit numbers for use with Internet connectivity. If you use a lot of file-sharing software and are running BitTorrent on every major theatrical release within hours of their premieres, you may have a vested interest in denying connections to your computer from a machine using one of those numbers. It may just keep your name out of a lawsuit. I don't do much in the way of file-sharing films or music, so it's not a concern for me. (If Vivendi really wanted to snoop your KaZaa swag, they wouldn't do it from their own front door.)

But U.S. legislation like the Digital Millennium Copyright Act has paved the way for companies like Vivendi, Sony, the RIAA, or the MPAA to scan your machine for copywritten works whether you want them to or not. This is a concern for me. I am unnerved by the idea that Geffen Records has permission from my government to remotely scan my hard drive looking for MP3s of songs they may happen to own. If the U.S. Constitution authorizes me to kick an unwelcome militia out of my house, I damn well have the same authorization when it comes to private corporations. If I can defend my home, even with lethal force protected by the Second Amendment, why does this defense not extend to my computer inside my home?

It does. I have a right to defend my intellectual property, just as I have a right to defend my physical property. And so I have started using ProtoWall.

Come and get some, DMCA.