[Firewall] Is there a limit to BLOCK_HOSTS=""

Lonnie Abelbeck lists at lonnie.abelbeck.com
Sun Feb 3 15:49:21 CET 2013

Hi Chris,

The BLOCK_HOSTS variables is designed to only add a few IP's or CIDR's, but clearly works for a lot more. :-)

What you should be using is BLOCK_HOSTS_FILE, which is set to point to a file of your creation, for example:

and place, one per line your entries you want blocked in the file, eg. "/etc/arno-iptables-firewall/blocked-hosts"
.. etc ..

Also by using a BLOCK_HOSTS_FILE file, you can update the file and apply it without restarting the complete firewall with:

$ arno-iptables-firewall force-reload

Finally, possibly a better and more manageable block list is the "Spamhaus Don't Route Or Peer List"


You may want to include both the http://www.spamhaus.org/drop/drop.txt and http://www.spamhaus.org/drop/edrop.txt lists.

Note: the semi-colon ';' comments in the above lists will be automatically ignored with BLOCK_HOSTS_FILE in AIF.

You would want to use CRON to re-apply the above files every 24 hours or so, together with using "arno-iptables-firewall force-reload" to apply them.


On Feb 3, 2013, at 1:32 AM, cmr at uniserve.com wrote:

> I find myself wanting to block access from whole country ip ranges. Is there a limit to what I can include in the BLOCK_HOSTS="" setting? If there is, can I have multiple BLOCK_HOSTS="" statements in the firewall.conf file?
> I'm using version 2.0.1c.
> Chris
> as an example for blocking China:
-- snip --

More information about the Firewall mailing list