new options CC_DENY_PORTS, CC_DENY_PORTS_TCP

[patchwork3]

Added new options CC_DENY_PORTS, CC_DENY_PORTS_TCP,
CC_DENY_PORTS_UDP. This feature denies access from the countries
listed in CC_DENY_PORTS to listed TCP/UDP ports. For example, using
this FTP access port 21 could be blocked to only the specified
countries

I just want to make sure I'm understanding this correctly?

If I wanted to block access to say port 22 to all countries apart from mine would I have to use the following settings.

CC_DENY_PORTS = "CN,BR,IN,TW" (Roughly 240 Countries)
CC_DENY_PORTS_TCP = 22

Would this be really really slow or would it be only used for each login to port 22?

Pete

[Sergio]

No, you will need to use the other option CC_ALLOW_ PORT, with that option, you only select the country that you want to use port 22, so, you delete port 22 fron the tcp in/out and that option will only allow your country to use port 22.

The other one is the opposite, if I want to block Brazil to test port 21, you user CC_DENY_PORT and select country BR and you write port 21 in there.

Sergio

[GTG]

Would this option be less of a drain on the CPU vs using the CC DENY list?

[Sergio]

It depends on what you want, if you want to block a country to all of your services then add it to CC_DENY, but if you want to block attacks from a country to your FTP port, as an example, you use the CC_DENY_PORT. It will generate the same ammount of IPTABLES, as the number of IPs will be the same.