Firewalling IP Ranges - RunUO

autumntwilight · 04-03-2006, 04:29 PM

I don't think you can do this in RunUO 1.0, but I think the RunUO team should include a way to firewall IP ranges in their next release

Malaperth · 04-03-2006, 06:56 PM

Depends on what you mean by "ranges". The problem is that all the definitions of ranges I can think of can be firewalled using wildcards ( as in firewall 192.168.*.* for example, and possibly even down to as fine as firewall 192.168.??1.1??, but not sure of that part). The larger issue is that you can actually easily (accidentally or on purpose) firewall entire countries that way.

Maybe I don't understand what you need, but there is no sure/safe way to firewall anyone if they really want to get on without firewalling hundreds and/or thousands of people at the same time.

Livewire · 04-03-2006, 09:35 PM

I think he means the ability to firewall ranges like this:

192.168.1.1 through 192.168.1.100, inclusive

Would only block 100 ips, but 192.168.1.101 could connect. There might be a few tricks you could do as far as using several filters to get the same effect, but my guess is this is what he meant by range.

As far as adding it goes, not positive it's a coremod (check the scripts/accounting folder, theres firewall and iplimiter files in there), but i'd still like to see it. Not gunna hurt if they aren't put in though, I've been blocking ip ranges at the router if needbe. Thankfully, only had to block one guy that way so far (kindof a pain to set it up, but then again they're blocked from the network, not just uo

)

Aenima · 04-17-2006, 01:21 AM

it'd be good to be able to specify a wildcard address.

RunUO2874 · 04-17-2006, 01:42 AM

You can specify wildcard addresses. RunUO currently supports wildcards * and ?.

The easiest way to support IP ranges is actually with a mod of Core\Utility.cs:IPMatch, however you can do it by parsing the string in Scripts\Accounting\Firewall.cs:IsBlocked and looping through each one.

Actually, you could just rip IPMatch from Utility.cs, put it somewhere in Firewall.cs, and make it handle ranges there. Not a very nice way to do it, but might work.

Aenima · 04-17-2006, 07:10 AM

what I mean by wildcard address is as that used in router ACLs - a bitwise address, where 1 = wildcard and 0 = static.

For instance, a class B wildcard would be something like adding the IP address 172.16.0.0 and specifying a mask of 0.0.255.255, instead of what we currently have - 172.16.*.

PappaSmurf · 04-18-2006, 04:23 AM

There is a major drawback to this though.....lets say you have a family that is playing on a server from mutiple PC's all hooked through the same router....by Banning a range you've banned that entire family for one jerk...

if a family has Mom Dad You Sister Brother all playing that's 5 people you kicked just cause one was disruptive.

**daat99** · 04-18-2006, 04:50 AM

Quote:

Originally Posted by PappaSmurf

There is a major drawback to this though.....lets say you have a family that is playing on a server from mutiple PC's all hooked through the same router....by Banning a range you've banned that entire family for one jerk...

if a family has Mom Dad You Sister Brother all playing that's 5 people you kicked just cause one was disruptive.

In this situations the family authority figure will most likely contact the admin to ask why they all got banned and deal with the "jerk" so he won't be a "jerk" anymore in order to the ban to be lifted.

Think about it for a sec, if you were in that family and you were the "jerk" than your sister, brother, mother and father will be breathing down your neck to stop being "jerk" and if you cntinue than it'll be safe to assume you won't have a computer to be "jerk" with anymore MUAHAHAHAH.

Keep in mind that every ban can be lifter by the admin and every half decent admin have his email (or atleast the shard email) on his website for people to contact for situations like this (among others).

PappaSmurf · 04-18-2006, 05:11 AM

Quote:

Originally Posted by daat99

In this situations the family authority figure will most likely contact the admin to ask why they all got banned and deal with the "jerk" so he won't be a "jerk" anymore in order to the ban to be lifted.

Think about it for a sec, if you were in that family and you were the "jerk" than your sister, brother, mother and father will be breathing down your neck to stop being "jerk" and if you cntinue than it'll be safe to assume you won't have a computer to be "jerk" with anymore MUAHAHAHAH.

Keep in mind that every ban can be lifter by the admin and every half decent admin have his email (or atleast the shard email) on his website for people to contact for situations like this (among others).

This is very true I didn't think about it at the time. And if I'm not mistake you have to have contact info on your shards website to be listed on UOG

**daat99** · 04-18-2006, 05:13 AM

Quote:

Originally Posted by PappaSmurf

This is very true I didn't think about it at the time. And if I'm not mistake you have to have contact info on your shards website to be listed on UOG

No idea about that, I only do scripts

PappaSmurf · 04-18-2006, 05:20 AM

Quote:

Originally Posted by daat99

No idea about that, I only do scripts

I've got dial up and too many bills to finish catching up before I can pay to host a server....so Yah I've never messed with UOG much either, at least as far as listing a server with it.

I think hosting a Server on my PC would kill it anyways there is only so much a Pent Celeron 2.2ghz running Windows XP on 256MB of RAM can do.....

Aenima · 04-18-2006, 08:36 AM

I very much doubt a family would be using more than one public IP address. The more common situation is that their router uses NAT - one public IP address and the hosts connected to it use one of the designated private IP ranges.

So, banning one IP would, in effect, ban anyone connecting through the router.

**daat99** · 04-18-2006, 05:34 PM

Quote:

Originally Posted by Aenima

I very much doubt a family would be using more than one public IP address. The more common situation is that their router uses NAT - one public IP address and the hosts connected to it use one of the designated private IP ranges.

So, banning one IP would, in effect, ban anyone connecting through the router.

And when they reconnect it's most likely they'll get another ip so nomore ban for them

XxSP1DERxX · 04-18-2006, 05:38 PM

I like the idea of firewalling ip ranges, or hostnames, and as a matter of fact my shard can do this already. In addition, so that you do not ban a whole country/city/etc... an exception list would be good, in order to allow people to get on through the firewalling.

This would not work for people who have proxies, play through a cyber cafe, or other such 'public' areas. Unfortunately, there is collateral damage when you ban via hostname/ip range. It is inevitable.

swtrse · 05-09-2006, 10:21 AM

There are also people who have Dynamic IPs throght there ISPs.

So banning IPs is a useless feature of RunUO.
Better use a real Firewall with a relyable log.
Ban Unwanted people from the server and in case of attacks report them to there ISPs.

04-03-2006, 04:29 PM	#1 (permalink)
autumntwilight Forum Expert Join Date: Feb 2005 Location: Houston, TX Age: 20 Posts: 313	Firewalling IP Ranges I don't think you can do this in RunUO 1.0, but I think the RunUO team should include a way to firewall IP ranges in their next release

04-17-2006, 01:42 AM	#5 (permalink)
RunUO2874 Forum Novice Join Date: Jan 2006 Location: Canada Age: 21 Posts: 230	You can specify wildcard addresses. RunUO currently supports wildcards * and ?. The easiest way to support IP ranges is actually with a mod of Core\Utility.cs:IPMatch, however you can do it by parsing the string in Scripts\Accounting\Firewall.cs:IsBlocked and looping through each one. Actually, you could just rip IPMatch from Utility.cs, put it somewhere in Firewall.cs, and make it handle ranges there. Not a very nice way to do it, but might work. __________________ Fear anonymity. Last edited by RunUO2874; 04-17-2006 at 01:45 AM.

04-18-2006, 04:23 AM	#7 (permalink)
PappaSmurf Forum Expert Join Date: Mar 2005 Location: Polishing my Lightsaber Age: 31 Posts: 2,299	There is a major drawback to this though.....lets say you have a family that is playing on a server from mutiple PC's all hooked through the same router....by Banning a range you've banned that entire family for one jerk... if a family has Mom Dad You Sister Brother all playing that's 5 people you kicked just cause one was disruptive. __________________

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

04-03-2006, 06:56 PM	#2 (permalink)
Malaperth Master of the Internet Join Date: Oct 2005 Age: 44 Posts: 6,283	Depends on what you mean by "ranges". The problem is that all the definitions of ranges I can think of can be firewalled using wildcards ( as in firewall 192.168.. for example, and possibly even down to as fine as firewall 192.168.??1.1??, but not sure of that part). The larger issue is that you can actually easily (accidentally or on purpose) firewall entire countries that way. Maybe I don't understand what you need, but there is no sure/safe way to firewall anyone if they really want to get on without firewalling hundreds and/or thousands of people at the same time.

04-03-2006, 09:35 PM	#3 (permalink)
Livewire Join Date: Oct 2005 Age: 21 Posts: 73	I think he means the ability to firewall ranges like this: 192.168.1.1 through 192.168.1.100, inclusive Would only block 100 ips, but 192.168.1.101 could connect. There might be a few tricks you could do as far as using several filters to get the same effect, but my guess is this is what he meant by range. As far as adding it goes, not positive it's a coremod (check the scripts/accounting folder, theres firewall and iplimiter files in there), but i'd still like to see it. Not gunna hurt if they aren't put in though, I've been blocking ip ranges at the router if needbe. Thankfully, only had to block one guy that way so far (kindof a pain to set it up, but then again they're blocked from the network, not just uo )

04-17-2006, 01:21 AM	#4 (permalink)
Aenima Forum Expert Join Date: Oct 2002 Posts: 1,125	it'd be good to be able to specify a wildcard address.

04-17-2006, 07:10 AM	#6 (permalink)
Aenima Forum Expert Join Date: Oct 2002 Posts: 1,125	what I mean by wildcard address is as that used in router ACLs - a bitwise address, where 1 = wildcard and 0 = static. For instance, a class B wildcard would be something like adding the IP address 172.16.0.0 and specifying a mask of 0.0.255.255, instead of what we currently have - 172.16.*.

04-18-2006, 08:36 AM	#12 (permalink)
Aenima Forum Expert Join Date: Oct 2002 Posts: 1,125	I very much doubt a family would be using more than one public IP address. The more common situation is that their router uses NAT - one public IP address and the hosts connected to it use one of the designated private IP ranges. So, banning one IP would, in effect, ban anyone connecting through the router.

04-18-2006, 05:38 PM	#14 (permalink)
XxSP1DERxX Join Date: Oct 2002 Age: 22 Posts: 4,689	I like the idea of firewalling ip ranges, or hostnames, and as a matter of fact my shard can do this already. In addition, so that you do not ban a whole country/city/etc... an exception list would be good, in order to allow people to get on through the firewalling. This would not work for people who have proxies, play through a cyber cafe, or other such 'public' areas. Unfortunately, there is collateral damage when you ban via hostname/ip range. It is inevitable.

05-09-2006, 10:21 AM	#15 (permalink)
swtrse Join Date: Feb 2003 Posts: 33	There are also people who have Dynamic IPs throght there ISPs. So banning IPs is a useless feature of RunUO. Better use a real Firewall with a relyable log. Ban Unwanted people from the server and in case of attacks report them to there ISPs.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)