Blocking hosts by IP

2025-04-14

I'd like the ability to block individual hosts by IP/Netblock. I'm running Linux and Windows servers. My linux servers all have APF on them.

Here's the "hack" i've come up with that seems to work pretty well.

On linux i run

Code:

route add -host bad.host.ip reject

On Windows i run

Code:

route add bad.host.ip mask 255.255.255.255 169.254.1.1

Note on Windows that 169.254.1.1 is the address i've assigned to a loopback interface i installed.

So the bad ip packets make it to my systems, but never return.

I maintain two lists of IPs, one with the linux syntax and one with the windows syntax (but the IPs in them are the same). The lists are both scripts (batch file in Windows case). My servers connect to a central repository and download their repective script and run it once a day (which i may change to hourly). This keeps my IP bans on all my systems up to date.

So my question is, is there a better way to do this?

I know i can block by IP in APF on linux, but adding hosts to the apf list like this would require scripting that is beyond me (adding IPs to the hosts.deny would be easy with an echo, but i don't know how to remove them). Can APF have multiple "block" files?

On both systems, the routing table will get bigger and bigger over time, i don't know if there's a limit to the tables or if this will cause a performance impact. Any thoughts?

Am i totally nuts doing all this work (well, it's automated now), is there some software that does this specific thing?

Thanks all for you input.