XDP-Firewall icon indicating copy to clipboard operation
XDP-Firewall copied to clipboard
verified publisher icon gamemann

List for Block IPs?

Open geckotdf opened this issue 6 months ago • 3 comments

Hello! First of all, thank you very much for this very practical and efficient development. But I had a doubt if it is possible to link, perhaps through filters, the ability to load lists of IPs / subnets that you want to block dynamically.

Since I understand that it is possible to use the cli or pre-load in the config file: ip_drop_ranges = ( "192.168.1.0/24", "10.3.0.0/24" );

Which has a limit based on as far I can tell, this defines the max ammount of IPs you can add. #define MAX_IP_RANGES 4096

But my question is if I can link lists that I can modify externally so that they are blocked.

Thank you!

geckotdf avatar Jun 30 '25 16:06 geckotdf

Hey! I'm sorry for the delay, I've been moving into a new house recently which has taken a lot of my time.

As for your question, just to clarify, are you asking if it's possible to modify a list (from a file for example) and have it reflect in the dropped IP ranges list in real time? If so, this isn't possible through the tool itself, but you could create a separate tool or script to utilize the CLI utilities (xdpfw-add and xdpfw-del).

The script would need to watch changes made to the file and then detect which IPs are added or removed from the file.

Additionally, if you're interested, I plan on making a REST API to list, add, or remove source IPs, IP ranges, etc. I have no ETA on when I'll implement this feature since I'm going through a lot right now, but it will happen at some point in the future :)

gamemann avatar Jul 05 '25 14:07 gamemann

Hi! I'm so glad you were able to move to a new place.

Yes, that's exactly what I did. A Python program that, in my case, inspects the IP sets I've defined, generates a delta, and uploads it to the firewall's .conf file. Taking advantage of the firewall's ability to reload its configuration periodically, it only adds or removes IPs that have changed, which makes it more efficient. It also has an API to invoke bulk IP set updates (regional blocks).

With that, I was able to solve the problem. I'm not a programmer. I used AI to create the Python, but it worked fine. It won't let me attach Python files here, but I'm attaching the code in case you're interested for reference.

https://limewire.com/d/13HO8#fROq1IoiMb

geckotdf avatar Jul 05 '25 14:07 geckotdf

Hey, thank you!

That's a pretty neat script and impressive for AI from what I saw (I skimmed through the code)! Thank you for providing it.

At some point in the future, I do want to make a web panel for the firewall and allow users to add/remove IPs themselves (along with a REST API like I said before). No ETA on that, but I'd assume it may help given what you're using the script for right now.

gamemann avatar Jul 09 '25 00:07 gamemann