Crossfire Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CF: Re:Banning players



On Dec 8, 11:27am, Pertti Karppinen (OH6KTR) wrote:

> The ban file is a bit restricted. Allow file would be better :)
> For example, if connection from one IP is to be allowed, one would have
> to put all the other godzillion (256*256*256*255) IP's to the ban-file.
> I doubt that the server would be a bit busy at every connection attempt,
> don't You?


 Actually, allowing some form of ordering the ban file should perhaps be added.
 So for example, putting a ! in front means deny those hosts, other then allow
them.  When a player connects, we go through the file and store the results.
 So for example, a file could be:

!*
129.214.*
!129.214.171.*

 so if I come from 129.214.214.53, it first matches the *, which is a deny.
 Proceeds to the next line, which allows it, goes to the next line which isn't
a map, so it skips.

 However, if I am playing from 129.214.171.84, first line denies, next line
allows, next line denies, so I can not play.

 This could make it very easy to allow/not allow lots of hosts.

 As far as forking and DNS lookups - could be done.  However, you don't want to
fork all of crossfire - you really want a small program that forks off and
handles that.  But it also adds a bit of complexity to the program which I am
not sure is really needed (if someone connects, you need to put them on hold
while you wait for the name resolution from the fork program, and them come
back.)  This isn't too bad if you only allow one lookup at a time - however, a
user could easily deny services to a server (pissed at server admin) but coming
from a host with broken/slow dns - when the server kicks him off for not
allowing name resolution, he just retries again.

 If you allow multiple looks at the same time, you run the risk of some user
trying to do 50 connects at the same time and having 50 forked processes
running.

 Both of these attacks may be minor risks.  I guess it really depends - how
many people actually use the ban file, and how many that do actually want to be
able to use domain names instead of just ip numbers?


-- 

-- Mark Wedel

-
[you can put yourself on the announcement list only or unsubscribe altogether
by sending an email stating your wishes to ]