As of April 12, 2010, The USA has 37,767 networks and 1,490,138,622 subnets. Canada includes 5,758 networks and 76,999,932 subnets.

From a security standpoint it is usually better to decide what you will ALLOW onto your network instead of what you want to DENY. But, in weighing whether to set up a rule set to implicitly ALLOW or DENY, you should consider factors such as efficiency, size of the ruleset, overhead, available system memory, CPU, etc.

For example, if you wanted to deny traffic from China, you could create a ruleset to ALLOW the rest of the world, which would by default deny China. Or you could create a ruleset to expressly DENY China, which would by default allow any network that is not part of the IP blocks assigned to China. The resources required for the latter are much less than the former.

At the current time it would require significantly less resources to ALLOW the USA and Canada and deny the rest of the globe than it would to DENY access to every country except the USA and Canada. The difference is in how the rule is written and the amount of data required to properly process the rule.

In any case, you need to approach your decision thoughtfully. Any changes you make to a firewall or .htaccess file will impact resource utilization.

<Limit GET HEAD POST>
order allow,deny
deny from xxx.xxx.xxx.xxx/xx
</Limit>
allow from all

I saw your web page:
http://www.countryipblocks.net/e_country_data/Asia_deny.txt

I’m wondering which part of this do you actually drop into your .htaccess file on the Apache server. I’m guessing you chop out the stuff that has a number sign in front of it, and include the rest of the stuff.

For example, if you start with this:

# Country: Asia
# Total Networks: 10,183
# Total Subnets: 581,443,008
# Country: AFGHANISTAN
# ISO Code: AF
# Total Networks: 17
# Total Subnets: 73,984
deny from 58.147.128.0/19
deny from 111.125.152.0/21
deny from 117.55.192.0/20
deny from 117.104.224.0/21
deny from 119.59.80.0/21
deny from 121.100.48.0/21
deny from 121.127.32.0/19
deny from 125.213.192.0/19
deny from 175.106.32.0/19
deny from 180.94.64.0/19
deny from 180.222.136.0/21
deny from 202.56.176.0/20
deny from 202.86.16.0/20
deny from 203.174.27.0/24
deny from 203.215.32.0/20
deny from 210.80.0.0/19
deny from 210.80.32.0/19
# Country: ARMENIA
# ISO Code: AM
# Total Networks: 52
# Total Subnets: 195,872
deny from 62.89.0.0/19
deny from 77.95.184.0/21
deny from 78.109.64.0/20
deny from 79.170.200.0/21
deny from 80.86.224.0/20
deny from 81.16.0.0/20
deny from 81.89.208.0/20
deny from 83.139.0.0/18
deny from 83.217.224.0/19
deny from 87.241.128.0/18
deny from 89.249.192.0/20
deny from 91.103.24.0/21
deny from 91.103.56.0/21
deny from 91.198.247.0/24
deny from 91.199.38.0/24
deny from 91.199.226.0/24
deny from 91.205.132.0/21
deny from 91.208.76.0/24
deny from 91.208.149.0/24
deny from 91.209.38.0/24
deny from 91.209.105.0/24
deny from 91.210.40.0/22
deny from 91.212.71.0/24
deny from 92.43.136.0/21
deny from 93.94.216.0/21
deny from 93.185.32.0/20
deny from 93.187.160.0/21
deny from 93.191.152.0/21
deny from 95.140.192.0/20
deny from 109.68.120.0/21
deny from 109.75.32.0/20
deny from 178.160.128.0/17
deny from 188.92.40.0/21
deny from 188.115.192.0/18
deny from 193.200.130.0/24
deny from 195.8.50.0/23
deny from 195.60.80.128/27
deny from 195.88.66.0/23
deny from 195.88.254.0/23
deny from 195.191.100.0/23
deny from 195.191.154.0/23
deny from 195.191.186.0/23
deny from 195.211.24.0/22
deny from 195.250.64.0/19
deny from 212.34.224.0/19
deny from 212.42.192.0/19
deny from 212.73.64.0/19
deny from 217.26.128.0/20
deny from 217.63.96.0/19
deny from 217.76.0.0/20
deny from 217.113.0.0/20
deny from 217.113.16.0/20

What you actually drop into the .htaccess file on the Apache server is this:

deny from 58.147.128.0/19
deny from 111.125.152.0/21
deny from 117.55.192.0/20
deny from 117.104.224.0/21
deny from 119.59.80.0/21
deny from 121.100.48.0/21
deny from 121.127.32.0/19
deny from 125.213.192.0/19
deny from 175.106.32.0/19
deny from 180.94.64.0/19
deny from 180.222.136.0/21
deny from 202.56.176.0/20
deny from 202.86.16.0/20
deny from 203.174.27.0/24
deny from 203.215.32.0/20
deny from 210.80.0.0/19
deny from 210.80.32.0/19

deny from 62.89.0.0/19
deny from 77.95.184.0/21
deny from 78.109.64.0/20
deny from 79.170.200.0/21
deny from 80.86.224.0/20
deny from 81.16.0.0/20
deny from 81.89.208.0/20
deny from 83.139.0.0/18
deny from 83.217.224.0/19
deny from 87.241.128.0/18
deny from 89.249.192.0/20
deny from 91.103.24.0/21
deny from 91.103.56.0/21
deny from 91.198.247.0/24
deny from 91.199.38.0/24
deny from 91.199.226.0/24
deny from 91.205.132.0/21
deny from 91.208.76.0/24
deny from 91.208.149.0/24
deny from 91.209.38.0/24
deny from 91.209.105.0/24
deny from 91.210.40.0/22
deny from 91.212.71.0/24
deny from 92.43.136.0/21
deny from 93.94.216.0/21
deny from 93.185.32.0/20
deny from 93.187.160.0/21
deny from 93.191.152.0/21
deny from 95.140.192.0/20
deny from 109.68.120.0/21
deny from 109.75.32.0/20
deny from 178.160.128.0/17
deny from 188.92.40.0/21
deny from 188.115.192.0/18
deny from 193.200.130.0/24
deny from 195.8.50.0/23
deny from 195.60.80.128/27
deny from 195.88.66.0/23
deny from 195.88.254.0/23
deny from 195.191.100.0/23
deny from 195.191.154.0/23
deny from 195.191.186.0/23
deny from 195.211.24.0/22
deny from 195.250.64.0/19
deny from 212.34.224.0/19
deny from 212.42.192.0/19
deny from 212.73.64.0/19
deny from 217.26.128.0/20
deny from 217.63.96.0/19
deny from 217.76.0.0/20
deny from 217.113.0.0/20
deny from 217.113.16.0/20

I’m wondering if that’s all you do, or if you have to surround the above stuff with some sort of code wrapping, like this:

[mod rewrite apache something..code xyz]
deny from 58.147.128.0/19
deny from 111.125.152.0/21
deny from 117.55.192.0/20
deny from 117.104.224.0/21
deny from 119.59.80.0/21
[end of spooky apache code number wrapper stuff/xlmns.12345]

This looks like a great website.

With all of these bad acting countries, it seems like it would be more efficient to allow only the USA and Canada addresses, rather than try to block 2000 addresses from 20 different countries.

However, I believe you indicated an “allow USA only” approach is actually more elaborate to construct than “block d,e,f,g,h,i,j,k, l,m,n,o,p,q,r,s,t,u,v,w,x,y,z and allow the rest” method.

Could you provide greater detail on why this is the case? There’s a whole lot of us out there who would be perfectly happy to interact with USA and Canada, and nowhere else (for example, if you have a defense attorney’s website serving clients in a small midwest USA metro, written in English, why would China or Russia need access to this website?).

Thanks for any elaboration on this.