• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

IP address blocking

#1
We're looking at converting our existing forums, but have an extensive IP address blocking system using PF tables. Are there any existing methods to automate uploading lists of IP addresses and ranges non-interactively? Like with scp, for example?
 

Tracy Perry

Well-known member
#5
Way better to block the IPs directly at the firewall than in the forum, this way it uses less ressources.
Depends on how extensive the IP list is. If it's fairly extensive it would probably benefit from using ipset instead of listing them in the iptables (if using a software firewall on the box - hardware firewall would be another matter). :)
 
#6
Thanks for all the responses!

For our usage in a FreeBSD jail, firewall access will not be available. Another method that sounds like it will work is setting up our own private DNSBL. Given the amount of traffic, the overhead is not likely to be a problem. But something that requires less setup would be nice. Maybe a cron job could clear and reimport the IP address table in the database, if there is a plain table for that.
 

Ridemonkey

Well-known member
#10
Way better to block the IPs directly at the firewall than in the forum, this way it uses less ressources.
Sure, in theory that's definitely true.

In practice, it needs to be weighed against the impact that the blocked IPs are having on the server. If they're being forwarded to a zero-query, lightweight page, that's often enough relief for the server that it's not worth the additional overhead of manually managing IP block lists.

Two add-ons, FoolBotHoneyPot and DeDos (both by the same author) are currently managing this for us - the former for bots attempting to register, and the latter for content scrapers - and the advantage is that it exposes the management of the modules right into the XF interface, meaning it can be managed easily at the front end by myself or anyone I grant access to. I could manage it in IP tables but not as conveniently.

Of course, if the IP ranges you're trying to block are causing massive problems, or if your server is constantly running low on resources, there are absolutely advantages to cutting it off in the firewall. Just mentioning that there are trade-offs.
 

Robust

Well-known member
#11
Depends on how extensive the IP list is. If it's fairly extensive it would probably benefit from using ipset instead of listing them in the iptables (if using a software firewall on the box - hardware firewall would be another matter). :)
Or at the software end. I do this on nginx quite easily and in an organised manner.

include inc/ipblock;

ipblock:
include blocks/country1
include ....

Relatively easy, it's completely tidy too.