» cFosSpeed IP blocking lists

IP-range lists

In order to filter for huge amounts of IP-ranges, cFosSpeed has support for IP-range files like ipfilter.dat the same way IP-Blockers like Protowall and Peerguradian support them. All traffic to or from one of the listed addresses is blocked. We call those lists "iplists".

cFosSpeed supports these iplists through two filter expressions: -s-iplist and -d-iplist. They are already set by default in settings.ini. -s-iplist matches the source IP address against a given list, -d-iplist the destination IP address.

The -s-iplist and -d-iplist filter accept the iplist name as second parameter. The default name used in settings.ini is "ipfilter". In the [iplist] section in settings.ini or user.ini you must specify the iplist names with the corresponding IP block list files that contain the IP-ranges to be blocked. These block lists are not supplied with cFosSpeed.

The [iplist] section contains lines in the format "listname=filename". 'listname' is used to filter for the IP-addresses listed in 'filename'. You can have more than one list with different names and each list can be made up of more than one file. When compiling the lists, duplicate entries are removed and the whole list is sorted and optimized. You can put this section in user.ini, so it will not be overwritten with the next cFosSpeed update.

An example excerpt from settings.ini:


    filter=-tx -d-iplist ipfilter -c drop
    filter=-rx -s-iplist ipfilter -c drop

    [iplist]
    ipfilter=c:\text\ipfilter.dat
    ipfilter=c:\text\my.dat
    

This will read both files and make them available as iplist named 'ipfilter'. This iplist is used by default to filter packets to the drop queue, i.e. to discard them. However, this rule is not active by default, since no IP block list file is set up.

Currently two IP-range file-formats are supported. This is the Emule format:

    from-address - to-address [, rest-ignored...]
Example:
    0.0.0.1 - 3.255.255.255 , blabla
And this is the Protowall/Peerguardian format:
    ignored-text:from-address - to-address
Example:
    blabla:0.0.0.1 - 3.255.255.255

The block lists can be quite big and consume a lot of memory. Each line with an IP-range needs 8 bytes. We worked with lists that needed 2mb of memory. The process of reloading them will, for a short time, allocate three times as much.

Since the lists are so big, they have to be read into memory from disk and compiled. This can take some short time, so it is only done when cFosSpeed is loaded or on demand. To re-load the block lists on demand use "spd reload -iplist".

Blocked packets will be dumped to text file FWLOG.TXT like all other firewalled packets. You can switch off the dumping by setting "spd gset fwlog 0".

You can list the iplists currently loaded with the command "spd showiplists". The output looks something like this:

    ipfilter:
       0x8218a4a0, active 1, refcnt 2, 3 entries
It shows that the list named "ipfilter" is loaded to a certain memory address, is active, has reference count 2 (i.e. is used two times, most likely from two filter rules) and has 3 entries (i.e. three IP ranges).

Powered by cFos Personal Net Web Server
Practice random kindness and senseless acts of beauty