Re: RemoteAddrValve block ip-ranges

[André Warnier]

Thomas Scheer wrote:
Hi,
Is there a way to block whole countries (e.g. Sudan) by ip-ranges and/or CIDR
data? (in regex it would be a mess of data)
In CIDR Format:
# Country: SUDAN
# ISO Code: SD
# Total Networks: 19
# Total Subnets:  283,904
41.67.0.0/18
41.78.108.0/22
41.79.24.0/22
41.79.120.0/22
41.95.0.0/16
41.202.160.0/19
41.209.64.0/18
41.218.0.0/18
41.223.160.0/22
41.223.200.0/22
196.1.192.0/18
196.29.160.0/19
196.202.128.0/19
196.223.20.0/24
197.251.0.0/17
197.252.0.0/16
197.254.192.0/19
197.254.224.0/19
212.0.128.0/19


I'm telling you what I think I know, for what it's worth.

First comment : and you have not even considered IPv6 addresses yet...

Then, as far as I know, the IANA allocates blocks of IP addresses on a first-come, 
first-served base, and according to availability.  So there is no "underlying logic" to 
which ISP in which country gets granted any block of addresses, and it can vary over time 
as one ISP relinquishes "ownership" of one block and another one somewhere else obtains 
control over all or part of that same block.
The situation may be somewhat more organised with IPv6 addresses, as there are so much 
more of them to choose from, but that I don't really know.

One solution I would think of, would be to modify the IP Address Filter Valve to make a 
lookup when needed to obtain the above information, and caching the result.

Another alternative would be to turn the issue around, and caching a table of the IP 
ranges which you would /allow/ to access your server, and block anything that is not in 
that list.  Usually, it is safer to work on the principle "we block everything except..", 
instead of "we allow everything except..".

We do something similar to that at the Apache httpd front-end level, for some of our 
international customers spread over many locations and which access the internet through 
various firewalls/proxies.  We get a list from them of their external IP ranges, and 
filter on that.
We transform their list into a lookup table based on the numeric values of the "nibbles", 
and use this to make the lookups.  It is a bit more efficient than comparing each incoming 
IP with a bunch of regexp'es.

Of course your case may be different and this kind of logic may not apply.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org