[Firewall] Is there a limit to BLOCK_HOSTS=""
lists at lonnie.abelbeck.com
Sun Feb 3 15:49:21 CET 2013
The BLOCK_HOSTS variables is designed to only add a few IP's or CIDR's, but clearly works for a lot more. :-)
What you should be using is BLOCK_HOSTS_FILE, which is set to point to a file of your creation, for example:
and place, one per line your entries you want blocked in the file, eg. "/etc/arno-iptables-firewall/blocked-hosts"
.. etc ..
Also by using a BLOCK_HOSTS_FILE file, you can update the file and apply it without restarting the complete firewall with:
$ arno-iptables-firewall force-reload
Finally, possibly a better and more manageable block list is the "Spamhaus Don't Route Or Peer List"
You may want to include both the http://www.spamhaus.org/drop/drop.txt and http://www.spamhaus.org/drop/edrop.txt lists.
Note: the semi-colon ';' comments in the above lists will be automatically ignored with BLOCK_HOSTS_FILE in AIF.
You would want to use CRON to re-apply the above files every 24 hours or so, together with using "arno-iptables-firewall force-reload" to apply them.
On Feb 3, 2013, at 1:32 AM, cmr at uniserve.com wrote:
> I find myself wanting to block access from whole country ip ranges. Is there a limit to what I can include in the BLOCK_HOSTS="" setting? If there is, can I have multiple BLOCK_HOSTS="" statements in the firewall.conf file?
> I'm using version 2.0.1c.
> as an example for blocking China:
> BLOCK_HOSTS="188.8.131.52/14 184.108.40.206/13 220.127.116.11/16 18.104.22.168/16 22.214.171.124/14 126.96.36.199/13 188.8.131.52/14 184.108.40.206/12 220.127.116.11/14 18.104.22.168/14 22.214.171.124/15 126.96.36.199/13 188.8.131.52/14 184.108.40.206/14 220.127.116.11/15 18.104.22.168/12
-- snip --
More information about the Firewall