Forum


Notice to all users

We are migrating towards a new forum system located at community.teamspeak.com, as such this forum will become read-only on January 29, 2020

Page 1 of 2 12 LastLast
Results 1 to 15 of 25
  1. #1
    Join Date
    December 2009
    Location
    Germany
    Posts
    289

    [Request] Whitelist before Blacklist

    I have a problem. I want to blacklist all IP's but exclude some entries, which should have the ability to connect.

    I've configured the blacklist with "0.0.0.0/0" to block all, and have added all the entries i want to exclude to the Whitelist-file. But now every IP's are not able to connect.

    Is there a possibility to change the behavior of that mechanism, so this could be possible, or is there an other way to make this situation possible??

  2. #2
    Join Date
    December 2004
    Location
    RF
    Posts
    3,008
    Make use of your firewall.

  3. #3
    Join Date
    January 2010
    Location
    germany
    Posts
    34
    I have the same problem,

    wanna blacklist all ips, than whitelist localhost and another admin ip.

    Dont know why it isnt implemented yet

  4. #4
    Join Date
    December 2004
    Location
    RF
    Posts
    3,008
    It is already implemented for like... erm... 30? 40 years?
    Use SSH port forwarding and don't publish your query port at all.

  5. #5
    Join Date
    January 2010
    Location
    germany
    Posts
    34
    Thats just a workaround.

    i could also use iptables drop, but why should i add iptables entry if the server can block all and whitelist than 1-2 ips.

    my workaround:
    Code:
    iptables -A INPUT -p tcp --dport 10011 -s 123.123.123.123 -j ACCEPT
    iptables -A INPUT -p tcp --dport 10011 -s 223.223.223.223 -j ACCEPT
    iptables -A INPUT -p tcp --dport 10011 -j REJECT --reject-with icmp-port-unreachable
    Last edited by pepterp; June 2nd, 2010 at 10:16 PM.

  6. #6
    Join Date
    December 2004
    Location
    RF
    Posts
    3,008
    Quote Originally Posted by pepterp View Post
    Thats just a workaround.
    No, it's normal use of normal tools.
    It's not up to voice server to watch over network and work the task of a firewall.

    i could also use iptables drop, but why should i add iptables entry if the server can block all and whitelist than 1-2 ips.
    Because it's firewall work to handle access on a network level.

    my workaround:
    As I said earlier, it's wrong to the point of insanity.
    What if you happen to be away from home and urgently need to access the server?
    You'll use ssh client, and for that, you already local and don't need any access lists at all.
    Either forward query port or just use telnet inside ssh session.

  7. #7
    Join Date
    December 2009
    Location
    Germany
    Posts
    289
    Folks, I only want to know if there is a possibility to make this possible only with ts3-server.

    The thing is, that this could be a method to secure the server, and also give a viewer the ability to connect, without needed knowledge about the firewall-system.

    This isn't a problem for me, because I use a VPN-Connection for this, but this could be a feature, which is needed by other people, who want a simple solution for this situation.

  8. #8
    Join Date
    March 2009
    Location
    Germany
    Posts
    74
    Why not just blocking the IPs you want to block using the blacklist instead of all?

    You are right, the lists are processed in the wrong order but i dont think TS team will fix this - they have much more important things to do like adding spacers and such gimmicks...

  9. #9
    Join Date
    December 2004
    Location
    RF
    Posts
    3,008
    Nothing wrong with having temporary blacklist.
    But more persistent security means is outside of the application scope.

  10. #10
    Join Date
    December 2004
    Location
    RF
    Posts
    3,008
    Quote Originally Posted by Master_D View Post
    Folks, I only want to know if there is a possibility to make this possible only with ts3-server.

    The thing is, that this could be a method to secure the server, and also give a viewer the ability to connect, without needed knowledge about the firewall-system.

    This isn't a problem for me, because I use a VPN-Connection for this, but this could be a feature, which is needed by other people, who want a simple solution for this situation.
    "Guys, I only want to secure my house. Don't tell me about walls, door locks etc."

  11. #11
    Join Date
    March 2009
    Location
    United States
    Posts
    144
    Not all TS hosts want to give thier clients access to the servers firewall so modifying the firewall is not always a possible solution. For example if someone is a reseller and his server is running 20 virtual servers. A firewall will block a connection to all 20 servers. If you implement per port filtering maybe, but teamspeak is going to get domain filtering soon so you can host all 20 virtual servers on the same port.

    Its a valid request, stop harrassing them over it with your 'ideal' solution. There is something to be said for a little courtesy, instead of responding to everything with an "I'm better than you" attitude. I know for sure I won't be giving some stranger access to my firewall configuration.

    On top of this it is better for teamspeak to deny the connection so the end user is given a proper error response to his valid connection request. 'connection timed out' is vague and leads to confusion.

    Insisting that blocking the connection at the firewall is the only way it should be done is ignorant at best.

  12. #12
    Join Date
    December 2004
    Location
    RF
    Posts
    3,008
    Draygo, you should know better what you're speaking about, before clicking "Post" button.

  13. #13
    Join Date
    March 2009
    Location
    Germany
    Posts
    74
    Quote Originally Posted by ANR Daemon View Post
    Draygo, you should know better what you're speaking about, before clicking "Post" button.
    Could you please stop replying to this thread because you don't give constructive answers. Thank you!

  14. #14
    Join Date
    December 2004
    Location
    RF
    Posts
    3,008
    Quote Originally Posted by an3kk View Post
    Could you please stop replying to this thread because you don't give constructive answers. Thank you!
    Could you please understand that the abovementioned poster making claims more ridiculous, than of topic starter?

  15. #15
    Join Date
    March 2009
    Location
    Germany
    Posts
    74
    Quote Originally Posted by ANR Daemon View Post
    "Guys, I only want to secure my house. Don't tell me about walls, door locks etc."
    This statement proves that you must be a kid. He wants to secure the TS server. He is NOT talking about the whole dedicated server, perhaps the server is already secured or not, however we don't know.

    Your comparison, written in a childish style is about securing the whole dedicated server (house) but not the TS server (a room).

    go and get a hobby and stop annoying other ppl with your completely useless posts.

    @ Moderators ... where are you when we really need you? Thanks

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. DYN DNS on Whitelist
    By Mindwalker in forum Windows
    Replies: 3
    Last Post: May 8th, 2012, 07:18 AM
  2. Replies: 5
    Last Post: January 18th, 2011, 11:34 PM
  3. No whitelist or blacklist in the downloads
    By Laire in forum Server Support
    Replies: 4
    Last Post: March 25th, 2010, 10:55 AM
  4. Whitelist
    By marinesct in forum Server Support
    Replies: 9
    Last Post: January 22nd, 2010, 03:18 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •