I have a zip file for you guys to check out as requested. You can download it from the following URL.

URL HIDDEN

For now I would appreciate if the URL wasn’t posted yet. I’m working on a signup/download section for the host site. From there I’ll make it generally available to the open public.

The version in the zip is time-bombed and dies in March. It only supports blocking 5 countries at a time right now. This isn’t due to performance issues or anything, I’m just hoping to keep the full version under wraps until everything is ready to go. I’ve had a full version running on my machine for the past 3 or 4 weeks with 129 countries (some 24,000 firewall entries) blocked with no performance impact whatsoever on my machine, so I’m feeling really confident it will work well for people.

If you could give it a shot and let me know what you think I would appreciate it. If you would like to try out a fully functional version as well I can put a build together for you guys. Just give me an email or something and I can send it your way.

Todd K

If you are building an Access Control List, (whitelist/blacklist) you are going to ease the load on your resources if you use entire networks as opposed to breaking it out by IP address.

The United States has 1.5 billion addresses, but these are contained within approximately 39,000 upper level network ranges (prior to being subdivided further).

Building an aggregated list is a little bit difficult because the networks assigned to countries are neither contiguous nor continuous. Due to the many projects we are working on we are not currently offering an aggregation script. But these scripts do exist. You’ll find a link to one here:

Richard Sandoz :
Not sure if this is of any help:
Will merge a list of CIDR networks and consolidate adjacencies and overlaps:
http://www.richardsandoz.com/perl/cidrmerge.html

Let me know what countries you would like on your whitelist and the format you would like your data to appear, and I’ll create if for you (if it’s reasonable).

Incidentally, if anyone would like to donate an aggregation script to Country IP Blocks, I will see about getting it incorporated into the website.

Stewart White :We offer information on all active, reserved or allocated global IPv4 addresses. Currently, of the 4,294,967,296 possible IPv4 addresses, 3,977,143,746 are active, reserved or allocated. These addresses are contained in nearly 105,000 separate networks.
As of April 12, 2010, The USA has 37,767 networks and 1,490,138,622 subnets. Canada includes 5,758 networks and 76,999,932 subnets.
From a security standpoint it is usually better to decide what you will ALLOW onto your network instead of what you want to DENY. But, in weighing whether to set up a rule set to implicitly ALLOW or DENY, you should consider factors such as efficiency, size of the ruleset, overhead, available system memory, CPU, etc.
For example, if you wanted to deny traffic from China, you could create a ruleset to ALLOW the rest of the world, which would by default deny China. Or you could create a ruleset to expressly DENY China, which would by default allow any network that is not part of the IP blocks assigned to China. The resources required for the latter are much less than the former.
At the current time it would require significantly less resources to ALLOW the USA and Canada and deny the rest of the globe than it would to DENY access to every country except the USA and Canada. The difference is in how the rule is written and the amount of data required to properly process the rule.
In any case, you need to approach your decision thoughtfully. Any changes you make to a firewall or .htaccess file will impact resource utilization.

Stewart- I have been following some of your comments, as well as those by Paul and ToddK. I am trying to build a whitelist of the entire world minutes a couple countries. To your post, there are about 1.5M ranges in the US alone. Instead of building a listing of millions or ranges, do you know how I could build a [hopefully aggregated] whitelist based on inputting those locations I want to deny?

@Whitelist Admin

Does anyone have an easy way that I can drop in the ranges from these countries I don’t want to connect, to build a whitelist allowing everything else? If I just go country by country and add each and everyone alloweable range the list would be millions. Thank you.

GREAT SITE!

Just a question, what about IPv6?
Will it work the same way as IPv4?

Thanks once again and keep up the great job! ^_^

http://www.flickr.com/photos/57715420@N05/5314097612/

The interface is just a nice way of selecting the continents/countries you want to block out. The guts of it will take the cidr entries and apply them to Windows Firewall. What I found on my server is that not only is the web service getting attacked, but people are trying to get access to it any way they can (web service, email server, windows credentials, etc.) The intent here is just to block everything from regions that are irrelevant to the sites that I’m hosting. If they can’t see it hopefully they’ll just leave it alone. I began with the lists on okean.com, but I like that your info is more complete.

It’s early days, but I’m thinking export/import of settings so that you set up one server and copy the settings to other web servers. I already have a smallish app that runs on a weekly basis and updates the firewall (using okean lists). I just need to modify that to pull from a better source and apply as per the settings from the app. I can probably just cache the data on my server and encrypt it so that I know it’s only my tool using it. That way I won’t be burdening you guys if people like the tool and start using it a lot.

I’m certainly open to suggestions as well.

Please provide us with a little more info on your project.