RemoteAddrValve block ip-ranges

[Thomas Scheer <th...@softwareag.com>]

Hi,
Is there a way to block whole countries (e.g. Sudan) by ip-ranges and/or CIDR
data? (in regex it would be a mess of data)

In CIDR Format:
# Country: SUDAN
# ISO Code: SD
# Total Networks: 19
# Total Subnets:  283,904
41.67.0.0/18
41.78.108.0/22
41.79.24.0/22
41.79.120.0/22
41.95.0.0/16
41.202.160.0/19
41.209.64.0/18
41.218.0.0/18
41.223.160.0/22
41.223.200.0/22
196.1.192.0/18
196.29.160.0/19
196.202.128.0/19
196.223.20.0/24
197.251.0.0/17
197.252.0.0/16
197.254.192.0/19
197.254.224.0/19
212.0.128.0/19


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: RemoteAddrValve block ip-ranges

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thomas,

On 3/8/12 4:47 AM, Thomas Scheer wrote:
> Is there a way to block whole countries (e.g. Sudan) by ip-ranges
> and/or CIDR data? (in regex it would be a mess of data)

My spidey sense it tingling. I swear we discussed this.

Aah, here it is:
https://issues.apache.org/bugzilla/show_bug.cgi?id=51953

Feel free to give that filter a try.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9YzdkACgkQ9CaO5/Lv0PB2ZgCgve9EPUOCDk6fgyQWSDHfF1xi
jFwAn0Ikrh3ZJEniwAvvVff2OMlyHVwk
=ZYBT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: RemoteAddrValve block ip-ranges

[André Warnier <aw...@ice-sa.com>]

Thomas Scheer wrote:
> Hi,
> Is there a way to block whole countries (e.g. Sudan) by ip-ranges and/or CIDR
> data? (in regex it would be a mess of data)
> 
> In CIDR Format:
> # Country: SUDAN
> # ISO Code: SD
> # Total Networks: 19
> # Total Subnets:  283,904
> 41.67.0.0/18
> 41.78.108.0/22
> 41.79.24.0/22
> 41.79.120.0/22
> 41.95.0.0/16
> 41.202.160.0/19
> 41.209.64.0/18
> 41.218.0.0/18
> 41.223.160.0/22
> 41.223.200.0/22
> 196.1.192.0/18
> 196.29.160.0/19
> 196.202.128.0/19
> 196.223.20.0/24
> 197.251.0.0/17
> 197.252.0.0/16
> 197.254.192.0/19
> 197.254.224.0/19
> 212.0.128.0/19
> 

I'm telling you what I think I know, for what it's worth.

First comment : and you have not even considered IPv6 addresses yet...

Then, as far as I know, the IANA allocates blocks of IP addresses on a first-come, 
first-served base, and according to availability.  So there is no "underlying logic" to 
which ISP in which country gets granted any block of addresses, and it can vary over time 
as one ISP relinquishes "ownership" of one block and another one somewhere else obtains 
control over all or part of that same block.
The situation may be somewhat more organised with IPv6 addresses, as there are so much 
more of them to choose from, but that I don't really know.

One solution I would think of, would be to modify the IP Address Filter Valve to make a 
lookup when needed to obtain the above information, and caching the result.

Another alternative would be to turn the issue around, and caching a table of the IP 
ranges which you would /allow/ to access your server, and block anything that is not in 
that list.  Usually, it is safer to work on the principle "we block everything except..", 
instead of "we allow everything except..".

We do something similar to that at the Apache httpd front-end level, for some of our 
international customers spread over many locations and which access the internet through 
various firewalls/proxies.  We get a list from them of their external IP ranges, and 
filter on that.
We transform their list into a lookup table based on the numeric values of the "nibbles", 
and use this to make the lookups.  It is a bit more efficient than comparing each incoming 
IP with a bunch of regexp'es.

Of course your case may be different and this kind of logic may not apply.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org