CIDR Blocks Deny not working

Post Reply
jcinfargo
Junior Member
Posts: 2
Joined: 15 Jan 2014, 16:06

CIDR Blocks Deny not working

Post by jcinfargo »

Hello -

I am getting a lot of alerts of individual IPs that are being blocked even though I have a CIDR block setup to deny the block that would included the IP that is being blocked. I love Configserver and like that it is mostly working, but all the individual blocks are making me increase my Deny limit. This has been happening for several months now and I am running the latest version. Any assistance on this would be great.

Thank you.
skate323k137
Junior Member
Posts: 12
Joined: 11 Jun 2011, 22:36

Re: CIDR Blocks Deny not working

Post by skate323k137 »

I've never seen an issue with this. Iptables rules should not be allowing those IPs to reach your server at all if csf.deny is properly formatted. Are you putting #"do not delete" next to the cidr blocks so that they are not rotated out when the deny limit is reached?
Solid_State
Junior Member
Posts: 2
Joined: 10 Jul 2015, 09:01

Re: CIDR Blocks Deny not working

Post by Solid_State »

I'm having the same issue with CIDR ranges in csf.deny.
I thought I must have been doing something wrong.

From what I can see, /24 works, but /23 does not?

For example: in /etc/csf/csf.deny;

# This works perfectly;
81.92.113.0/24 # do not delete
81.92.114.0/24 # do not delete

# This doesn't block IPs from 81.92.114.xxx;
81.92.113.0/23 # do not delete

That said, I don't have too many addresses / ranges to block.
I'm extremely impressed with the product.
Don't know how I ever got along without it (installed CSF about six months ago).
ForumAdmin
Moderator
Posts: 1524
Joined: 01 Oct 2008, 09:24

Re: CIDR Blocks Deny not working

Post by ForumAdmin »

A CIDR block of 81.92.113.0/23 will block the IP range 81.92.112.0 - 81.92.113.255

You need to use a CIDR tool to accurately calculate your CIDRs, e.g.:
http://www.ipaddressguide.com/cidr
Solid_State
Junior Member
Posts: 2
Joined: 10 Jul 2015, 09:01

Re: CIDR Blocks Deny not working

Post by Solid_State »

Hi There,

"I thought I must have been doing something wrong".

... and I was. I'm an idiot :-)

I'll be more careful in future.
Thanks for the link.
Post Reply