Discussion:
[Twisted-Python] Blacklisting hosts
Judy Craig
2015-08-08 12:08:42 UTC
Permalink
This is an automatic reply. I am away from the office for the summer, returning on Tuesday, August 25, 2015. I will be happy to get back to you then.

Enjoy your summer!

Judy Craig
Student Services

This email and any files transmitted with it may be confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. If you are not
the named addressee you should not disseminate, distribute or copy this email.
Chris Norman
2015-08-08 12:07:58 UTC
Permalink
Hi all,
I am using Twisted to make a game server. I want to be able to ban IP
addresses. Currently I check if the host is in a blacklist, and if it
is, call abortConnection on the transport. It works fine, but I'm
thinking there should be a better way, to actively refuse the connection
in the first place?

Cheers,
Cory Benfield
2015-08-09 16:07:09 UTC
Permalink
Post by Chris Norman
Hi all,
I am using Twisted to make a game server. I want to be able to ban IP addresses. Currently I check if the host is in a blacklist, and if it is, call abortConnection on the transport. It works fine, but I'm thinking there should be a better way, to actively refuse the connection in the first place?
I am not aware of any hook in the BSD socket API that lets you refuse a connection entirely. Generally, you put a socket into ‘listen’ mode (indicating to the OS that you’ll accept new connections), and then you call accept() to get the new connection. In fact, the OS will accept the connection even before you call accept(): it’ll do it asynchronously, and you will just get the FD for the connection. IIRC Windows has a winsock specific thing that might do what you want, but that’s pretty platform specific and probably doesn’t actually prevent the connection getting established anyway.

If you really want to never allow the connection at all, you’ll probably want to program iptables (or some other firewall if you aren’t on Linux) to do the packet filtering for you. A combination of iptables and ipsets will get you a high-performance IP address blacklist that will drop all packets before they ever reach your application.

Cory
Glyph
2015-08-10 02:32:12 UTC
Permalink
Post by Cory Benfield
Post by Chris Norman
Hi all,
I am using Twisted to make a game server. I want to be able to ban IP addresses. Currently I check if the host is in a blacklist, and if it is, call abortConnection on the transport. It works fine, but I'm thinking there should be a better way, to actively refuse the connection in the first place?
I am not aware of any hook in the BSD socket API that lets you refuse a connection entirely. Generally, you put a socket into ‘listen’ mode (indicating to the OS that you’ll accept new connections), and then you call accept() to get the new connection. In fact, the OS will accept the connection even before you call accept(): it’ll do it asynchronously, and you will just get the FD for the connection. IIRC Windows has a winsock specific thing that might do what you want, but that’s pretty platform specific and probably doesn’t actually prevent the connection getting established anyway.
If you really want to never allow the connection at all, you’ll probably want to program iptables (or some other firewall if you aren’t on Linux) to do the packet filtering for you. A combination of iptables and ipsets will get you a high-performance IP address blacklist that will drop all packets before they ever reach your application.
There is a shortcut in Twisted, at least, although it does not actually refuse the initial connection for the reasons listed above; you can examine the "addr" passed to IProtocolFactory.buildProtocol and return None.

-glyph
Chris Norman
2015-08-10 21:43:31 UTC
Permalink
Hello,
Post by Glyph
Post by Cory Benfield
Post by Chris Norman
Hi all,
I am using Twisted to make a game server. I want to be able to ban IP addresses. Currently I check if the host is in a blacklist, and if it is, call abortConnection on the transport. It works fine, but I'm thinking there should be a better way, to actively refuse the connection in the first place?
I am not aware of any hook in the BSD socket API that lets you refuse a connection entirely. Generally, you put a socket into ‘listen’ mode (indicating to the OS that you’ll accept new connections), and then you call accept() to get the new connection. In fact, the OS will accept the connection even before you call accept(): it’ll do it asynchronously, and you will just get the FD for the connection. IIRC Windows has a winsock specific thing that might do what you want, but that’s pretty platform specific and probably doesn’t actually prevent the connection getting established anyway.
If you really want to never allow the connection at all, you’ll probably want to program iptables (or some other firewall if you aren’t on Linux) to do the packet filtering for you. A combination of iptables and ipsets will get you a high-performance IP address blacklist that will drop all packets before they ever reach your application.
There is a shortcut in Twisted, at least, although it does not actually refuse the initial connection for the reasons listed above; you can examine the "addr" passed to IProtocolFactory.buildProtocol and return None.
This is perfect, thanks. It would have been better to refuse the connection entirely, but as Corey said, I can use iptables if I get desperate.
Post by Glyph
-glyph
_______________________________________________
Twisted-Python mailing list
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python <http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python>
Chris Norman
2015-08-10 21:40:21 UTC
Permalink
Hello,
Post by Chris Norman
Hi all,
I am using Twisted to make a game server. I want to be able to ban IP addresses. Currently I check if the host is in a blacklist, and if it is, call abortConnection on the transport. It works fine, but I'm thinking there should be a better way, to actively refuse the connection in the first place?
I am not aware of any hook in the BSD socket API that lets you refuse a connection entirely. Generally, you put a socket into ‘listen’ mode (indicating to the OS that you’ll accept new connections), and then you call accept() to get the new connection. In fact, the OS will accept the connection even before you call accept(): it’ll do it asynchronously, and you will just get the FD for the connection. IIRC Windows has a winsock specific thing that might do what you want, but that’s pretty platform specific and probably doesn’t actually prevent the connection getting established anyway.
If you really want to never allow the connection at all, you’ll probably want to program iptables (or some other firewall if you aren’t on Linux) to do the packet filtering for you. A combination of iptables and ipsets will get you a high-performance IP address blacklist that will drop all packets before they ever reach your application.
Thanks for that. I was sort of hoping for a Pythonic solution that doesn't rely on SubProcess ETC, particularly as I want this server to run on any OS you throw at it. Thanks for the idea though, I'll certainly use that if I get something that little Python can't handle.
Cory
_______________________________________________
Twisted-Python mailing list
http://twistedmatrix.com/cgi-bin/mailman/listinfo/twisted-python
Loading...