Allow subnet notation (i.e xxx.xxx.xxx.xxx/24) in permanent ban strings

[ravetroll]

I noticed a lot of bans on individual ip address coming from a /24 subnet. I would like to be able to enter a wildcard ban on a subnet to permanent bans but it is not currently possible as the wildcard is not a valid ip address

[devnulli]

we must stick to what the windows advanced firewall can do. wildcards, it cannot. but i will add support for ip ranges like 192.168.0.0/24 to the ban list

[JReming85]

Off topic but would love to see dynamic/fqdn whitelists. Been using a script + cron to parse some of my ACL lists to read a fqdn and convert it to ip while updating it if it changes every so often.

Just not sure how much of an extra load that would introduce

[devnulli]

heres an interesting thing:

https://social.msdn.microsoft.com/Forums/ie/en-US/32614b57-f3a3-437f-a659-4777f5e6bd68/windows-firewall-limits?forum=wfp

they ARE talking about performance degradation when you significantly boost the numbers up, for example, when you roll out a * into ips

they DONT say where that number lies though

[JReming85]

Yea depending on version can be anywhere between 500-1000 per rule

[ravetroll]

Does this mean that EvlWatcher cannot push more than 1000 addresses into its block list? Mine currently has 1543 permanent bans?

[JReming85]

Thats per rule, there is no limit to what EvlWatcher an block just how fast your system can read all the rules it creates.

[ravetroll]

There is only 1 EvlWatcher rule in my system. Its in Inbound Rules and called EvlWatcher.

[devnulli]

it can push UNIT32 filters per rule (the banned ips) and UINT64 rules (1 rule called Evlwatcher).

to practically, theres no real limit. ill make a load test because im curious though haha

[foxontherock]

I think an option to always add ban to subnet .0/24 by default, instead of a specific IP, can be interesting. Lots of my permanently banned IPs are from the same subnet.

[gavin2812]

Hi there, I think this would be a great addition, i keep on seeing various IP addresses all part of a /24 (or greater).

I have 2.1.5 installed and cannot see how to do this, did it get implemented in 2.1.4?

If not, would be great to see this feature.

Thank you.

[Portiella]

news?

[MsternSC]

Doesn't look like it was added here https://github.com/devnulli/EvlWatcher/pull/80. The windows firewall does seem to support IP ranges.

[dennisverspuij]

Would be awesome if this was added soon, would reduce my banlist 80% (and perhaps improve firewall performance?). I wouldn't mind manually replacing IP's with CIDR's in the banlist. CIDR notation is configured same way as single IP in the Windows firewall, so it seems to me the only thing EvlWatcher needs to do is accept slashes in the input box and service handling. I tried adding CIDR in config.xml manually but the service throws exception. Thanks for the software!

[devnulli]

it wasent? hm crazy. i remember doing something with subnets... well, i will look at it again.

[Henkex76]

+1 on that. Would be great as the intruders often seem to use the same subnet.

[shmightworks]

I think sorting the IPs on the ban list, then letting you multi-select a group of them to replace with their subnet group equivalent would be nice. This is what I've been manually doing, copying the list to excel, sorting it, looking big chunks, adding the subnet in another firewall rule, then one by one delete the ips off evlwatcher. Very tedious work which I must do every now and then to keep the evlwatcher list down.