[Twisted-Python] Blacklisting hosts
Hi all, I am using Twisted to make a game server. I want to be able to ban IP addresses. Currently I check if the host is in a blacklist, and if it is, call abortConnection on the transport. It works fine, but I'm thinking there should be a better way, to actively refuse the connection in the first place? Cheers,
I am not aware of any hook in the BSD socket API that lets you refuse a connection entirely. Generally, you put a socket into ‘listen’ mode (indicating to the OS that you’ll accept new connections), and then you call accept() to get the new connection. In fact, the OS will accept the connection even before you call accept(): it’ll do it asynchronously, and you will just get the FD for the connection. IIRC Windows has a winsock specific thing that might do what you want, but that’s pretty platform specific and probably doesn’t actually prevent the connection getting established anyway. If you really want to never allow the connection at all, you’ll probably want to program iptables (or some other firewall if you aren’t on Linux) to do the packet filtering for you. A combination of iptables and ipsets will get you a high-performance IP address blacklist that will drop all packets before they ever reach your application. Cory
Hello,
Thanks for that. I was sort of hoping for a Pythonic solution that doesn't rely on SubProcess ETC, particularly as I want this server to run on any OS you throw at it. Thanks for the idea though, I'll certainly use that if I get something that little Python can't handle.
I am not aware of any hook in the BSD socket API that lets you refuse a connection entirely. Generally, you put a socket into ‘listen’ mode (indicating to the OS that you’ll accept new connections), and then you call accept() to get the new connection. In fact, the OS will accept the connection even before you call accept(): it’ll do it asynchronously, and you will just get the FD for the connection. IIRC Windows has a winsock specific thing that might do what you want, but that’s pretty platform specific and probably doesn’t actually prevent the connection getting established anyway. If you really want to never allow the connection at all, you’ll probably want to program iptables (or some other firewall if you aren’t on Linux) to do the packet filtering for you. A combination of iptables and ipsets will get you a high-performance IP address blacklist that will drop all packets before they ever reach your application. Cory
Hello,
Thanks for that. I was sort of hoping for a Pythonic solution that doesn't rely on SubProcess ETC, particularly as I want this server to run on any OS you throw at it. Thanks for the idea though, I'll certainly use that if I get something that little Python can't handle.
participants (3)
-
Chris Norman -
Cory Benfield -
Glyph