Banning a Country in KeyHelp

Post by **Alexander** » Mon 20. Jan 2025, 10:20

Regarding the limitations by KeyHelp, you can use up to 16.777.215 characters in total.

Lets assume, all IPv4 address (+masks) have this format (including comma).

"XXX.XXX.XXX.XXX/XX," = 19 characters

16.777.215 / 19 = 883.011

So you would be able to use 883.011 IPv4 addresses

Note:
- This does not take into account IPv6 addresses
- I have not checked if there are limits by IPTables (so you probably can use less addresses)
- Like pointed out, this could become rather inefficient to handle (on the firewall end, as well as in the UI).

Chalipa · Post by **Chalipa** » Wed 22. Jan 2025, 00:19

Alexander wrote: ↑Mon 20. Jan 2025, 10:20 Regarding the limitations by KeyHelp, you can use up to 16.777.215 characters in total.

Lets assume, all IPv4 address (+masks) have this format (including comma).

"XXX.XXX.XXX.XXX/XX," = 19 characters

16.777.215 / 19 = 883.011

So you would be able to use 883.011 IPv4 addresses

Note:
- This does not take into account IPv6 addresses
- I have not checked if there are limits by IPTables (so you probably can use less addresses)
- Like pointed out, this could become rather inefficient to handle (on the firewall end, as well as in the UI).

So, just to make sure I have understood this correctly:

883 IPv4 can be saved in EACH RULE in the firewall to ensure its proper operation.

Correct?

Post by **Jolinar** » Wed 22. Jan 2025, 00:27

Chalipa wrote: ↑Wed 22. Jan 2025, 00:19 So, just to make sure I have understood this correctly:
883 IPv4 can be saved in EACH RULE in the firewall to ensure its proper operation.
Correct?

No!
Please read carefully again!

Alexander wrote: ↑Mon 20. Jan 2025, 10:20 So you would be able to use 883.011 IPv4 addresses

24unix · Post by **24unix** » Wed 22. Jan 2025, 00:51

Mind the difference between dot and comma.

Post by **Tobi** » Thu 5. Jun 2025, 16:52

Is it possible to place plain TXT files with IPs to ban and include these files in the KeyHelp setup?

With this setup one could ban a whole country within the file „countryland.txt“ and „anotherland.txt“ and so on.

Ralph · Post by **Ralph** » Thu 5. Jun 2025, 17:34

Tobi wrote: ↑Thu 5. Jun 2025, 16:52 Is it possible to place plain TXT files with IPs to ban and include these files in the KeyHelp setup?

If possible, use an external FW and turn off the internal one. This prevents the ipset rules from being deleted in the event of a FW flush.
It causes less load when reloading (restore) the blacklists with many IP addresses ... country blocks can be loaded once at system startup via cronjob; they do not need to be updated constantly.
If no external FW is available, then a script would have to be executed after a flush to reload and activate your ipsets.

Post by **Tobi** » Thu 5. Jun 2025, 18:15

I don‘t want to disable the KeyHelp firewall.
I want to extend the KeyHelp firewall.

As you said, contry-Ip-ranges don‘t need to be updated very often.

Banning a Country in KeyHelp

Re: Banning a Country in KeyHelp

Re: Banning a Country in KeyHelp

Re: Banning a Country in KeyHelp

Re: Banning a Country in KeyHelp

Re: Banning a Country in KeyHelp

Re: Banning a Country in KeyHelp

Re: Banning a Country in KeyHelp