[Firewall] Is there a limit to BLOCK_HOSTS=""

Lonnie Abelbeck lists at lonnie.abelbeck.com
Sun Feb 3 15:49:21 CET 2013


Hi Chris,

The BLOCK_HOSTS variables is designed to only add a few IP's or CIDR's, but clearly works for a lot more. :-)

What you should be using is BLOCK_HOSTS_FILE, which is set to point to a file of your creation, for example:
--
BLOCK_HOSTS_FILE="/etc/arno-iptables-firewall/blocked-hosts"
--

and place, one per line your entries you want blocked in the file, eg. "/etc/arno-iptables-firewall/blocked-hosts"
--
1.12.0.0/14
1.24.0.0/13
1.32.0.0/16
1.45.0.0/16
1.48.0.0/14
.. etc ..
--

Also by using a BLOCK_HOSTS_FILE file, you can update the file and apply it without restarting the complete firewall with:

$ arno-iptables-firewall force-reload

Finally, possibly a better and more manageable block list is the "Spamhaus Don't Route Or Peer List"

http://www.spamhaus.org/drop/

You may want to include both the http://www.spamhaus.org/drop/drop.txt and http://www.spamhaus.org/drop/edrop.txt lists.

Note: the semi-colon ';' comments in the above lists will be automatically ignored with BLOCK_HOSTS_FILE in AIF.

You would want to use CRON to re-apply the above files every 24 hours or so, together with using "arno-iptables-firewall force-reload" to apply them.

Lonnie



On Feb 3, 2013, at 1:32 AM, cmr at uniserve.com wrote:

> I find myself wanting to block access from whole country ip ranges. Is there a limit to what I can include in the BLOCK_HOSTS="" setting? If there is, can I have multiple BLOCK_HOSTS="" statements in the firewall.conf file?
> 
> I'm using version 2.0.1c.
> 
> Chris
> 
> 
> as an example for blocking China:
> BLOCK_HOSTS="1.12.0.0/14 1.24.0.0/13 1.32.0.0/16 1.45.0.0/16 1.48.0.0/14 1.56.0.0/13 1.68.0.0/14 1.80.0.0/12 1.116.0.0/14 1.180.0.0/14 1.184.0.0/15 1.188.0.0/13 1.196.0.0/14 1.202.0.0/14 1.206.0.0/15 14.16.0.0/12
-- snip --


More information about the Firewall mailing list