This entry is a user-made guide and not verified by any eMule developer, but is still a helpfull addition for most users. You you can find questions and comments on this topic in a dedicated thread on our forum.
How to filter IPs in eMule with ipfilter.dat
Update: I've revamped this old guide as of Feb 6, 2004, almost a year later. Yow!
This is a guide for those people wanting to use the built-in IP filtering feature of eMule. I've written it with the lowest common denominator of readers in mind that have a fairly low level of knowledge about these things. Advanced users could probably just check out the URLs and code examples and figure things out for themselves, but they'd be missing out my terrible grammar and voracious wit.
If you wish to get right to the action, then you will definitely need to use Bluetack's blocklist manager (Instructions found here) and Bluetack's blocklist converter. These programs make very light work of using and merging public block lists. The Blocklist Manager pretty much does automatically everything we'll be doing by hand in this guide. I also suggest just hitting all of bluetack.co.uk for related tools and public blocklists (Props to seraphielx for all this information, folks).
Before you start, be aware that using a firewall, Peerguardian, or Protowall might suit your blocking requirements a bit better than using eMule's built-in filter. The main reasons for not using such programs are concern over resources/ram, compatability with eMule or other programs, stability, being a minimalist, and handling larger blocklists. That said, Protowall is striving to allow much larger blocklists with less resources used, so you might want to check it out.
Preliminary:
QUOTE | I don't like the idea to make filtering too easy (@ runtime). This function should require some knowledge & attention, otherwise people will filter IPs/Ranges easily and cry about less sources later. -- Ornis+ |
Keep this in mind. If it happens that you have problems later, try editing your ipfilter.dat and restarting eMule before complaining. --What an IP is-- First of all, if you don't know what an IP is, read this from howstuffworks.com. One way to find your own IP is to go to whatismyip.com. You can also convert your eMule ID to your IP, or just read it in the 'My Info' window on eMule's server tab. Basically, IPs are used to identify computers, and IP ranges are used to identify networks or subnets of computers. Now, logically, you might want to restrict some of these IPs from accessing your precious eMule. --Client Version Notes-- Filtering in eMule was supported in official clients 26b and later, and certain earlier mods. When I think of "the golden era of emule", I think of 26b. I couldn't imagine anyone still using it, but if you are, and you want to filter IPs, please get a newer version. Even if you do use a version later than 26b, you might want to get a newer version as they allow refreshing the ipfilter.dat without restarting eMule, changing the filter level, and filtering servers. --Filtering Types-- EMule uses a two-way ban for IPs on its filter list. That means there is no uploading OR downloading from banned IPs. Generally, you will probably want to filter uploaders of corrupt data, invalid sources, enemies of p2p programs, and other agencies involved in p2p surveillance. Some people also take an active role in filtering out leechers. Information on how to obtain these IPs can be found later in this guide. Also, eMule uses a default 'allow' for connections, meaning that everything is allowed communication unless it's on the blocklist. This is opposed to the generally safer method of rejecting everything by default except what is marked as "allowed", but eMule doesn't allow the use of this method at present. And, besides, you would probably lose a ton of sources this way. Keep in mind that blocking IPs through a firewall is probably better than using ipfilter.dat, which only functions for eMule. Firewalls are much more comprehensive, and don't have some of the limitations of ipfilter.dat. They display filtered activity a bit better and have more filtering options. However, using ipfilter.dat with eMule has advantages in that using a single program instead of two more might save your computer some resources, and some firewalls have negative interactions with eMule. Where is the IP filter located?EMule's blocklist takes the form of ipfilter.dat, which resides in your main emule directory. You can get to ipfilter.dat through eMule's Preferences>Security tab and clicking on 'edit'. Or, you can open up the file from your eMule directory. For more information on filter settings in the Security tab, read the eMule FAQ page. If you haven't done any filtering yet, then you might need to create the file yourself by making a blank .txt file in notepad and saving it as ipfilter.dat Resources:We'll need these URLs for composing the blocklist. - eMule ipfilter FAQ page- Bluetack's blocklist converter- Bluetack's blocklist manager (Instructions found here) - Peerguardian's blocklist (click on ipdatabase and download guarding.p2p) - public.lamerfree.net/ipfilter.htm- cDonkey's Blocklist- P2P Bad IP List-Internet Number Registries: ARIN.net(USA, Canada, Central and South America) RIPE.net(Europe) APNIC.net(Asia, New Zealand and Austraila) Setting Up The Filter:Open up ipfilter.dat, as stated previously. At the head of the file, you can use hashes to mark off notes, as I've done here: CODE | # ipfilter.dat # # All entered IP ranges will be blocked # in eMule for both Up- and Downloading. # Be extremely careful what you enter here. # Wrong entries may totally block eMule from accessing the network. # # Format: # IP-Range , Access Level , Description # Ip-Ranges of different entries cannot overlap. # # Access Levels: # 0-126 blocked # 127-255 permitted # # Put versions, dates, and URLs from the most-recent update here
064.094.089.000 - 064.094.089.255 , 100 , Gator.com 066.035.250.203 - 066.035.250.203 , 200 , SourceForge.net 013.020.222.112 - 013.020.222.112 , 230 , Somethingawful.com
|
You can just cut and paste my header, but hold off on the two entries below it. You can only use hashed comments in the header, and not between filter entries or anything like that. --Entry Format-- Notice the format of the entries for Gator and SourceForge. The format is "IP-Range , Access Level , Description". The IP range should follow the format in the example. Even though an IP might be 64.94.1.89, it should be entered with leading zeros as 064.094.001.089. If you wish to block only a single IP, just enter it as a range as in the SourceForge example. --Filter and Access levels-- The filter level and access levels might be a bit confusing, so I'll illustrate it by example. For the above entries, and using the default filter level of 127 (from the Security tab), IP ranges with access levels below 127 will be blocked, and ones 128 and higher will be allowed, thus Gator will be blocked and the rest will not be blocked, as it should be. If I change the filter level to 220, I will be blocking Gator and Sourceforge, but allowing Somethingawful.com. You can assign different access levels to IP ranges of various risk and then activate or deactivate them depending on your filter level. Another benefit is that you can keep entries in your blocklist with a high access level just for future reference. Several public blocklists have ISPs that are set to high access levels. They aren't blocked, but are there just so that, when you do need to block them, all you need to do is change their access levels rather than look up their IPs and crap. I generally like to keep everything to 4 access levels with a default filter level of 127: -001 for evil, evil IPs that I always want blocked. -100 for generally blocked IPs. -110 for individual's IPs that I only want to temporarily block, such as until I'm done with a file or some retarded source. -120 for ISPs Ips that I only want to temporarily block, such as until I'm done with a file or some retarded source. -210 for individual source's IPs that I currently don't want to block, but might need to in the future. -220 for ISPs that I currently don't want to block, but might need to in the future. If I'm having trouble with some jerk who keeps using different IPs within his ISP, I'll look up his ISP and change it from 220 to 120 to block it. If I only need to block him, I'll use 110. By keeping entry types divided, I can use search and replace in a text editor to change access levels of several entries at once. If you do use search and replace, make sure you include some qualifiers. For instance, replace ", 111 , " with " , 100 , " and include the commas. Otherwise, we'll end up replacing all IPs that have a 111 somewhere in them. --Entry Descriptions-- The description of each entry will be displayed in your debug log entries when an IP is filtered, so be sure to include one when you add your IPs. If you can't see your debug log in eMule, you need to set preferences>extended settings>verbose mode on and look on the server screen. Groovy. Preliminary Test of The FilterNow, check and see if you filter is working for you. eMule loads ipfilter.dat on start, or when you click 'Refresh' in Preferences>Security. One way to see if it is working is to block the whole damn scary outside world. Add this entry to the filter (make sure it's the only entry): CODE | 000.000.000.000 - 255.255.255.255 , 100 , The world |
After you restart eMule, you shouldn't get any connections. Left-over activity from before your restart will show up in your debug log like this
CODE | 02/24/03 18:36:44: Filtered IP: 10.0.0.1 ( The world) |
You can then sit and look at statistics>clients>filtered rack up some numbers, and laugh evily at your newfound impenetrability.
Limitations The filter has problems when IP ranges overlap. So if you are filtering "the world", you can't put any other entries in there or they will overlap. Apparently, the filter will only use the first of overlapping ranges. So you'll probably want to manually look for overlapping ranges and delete undesired ones or at least arrange them so that the desired one comes first. The easiest way to look for overlaps is to keep the list in numerical order and check each new entry as you add it.
If you wanted to run eMule only on your little LAN, you'd only have these entries:
CODE | 000.000.000.000 - 009.255.255.255 , 100 , The world part 1 010.000.000.000 - 010.000.000.025 , 200 , My little LAN 010.000.000.026 - 255.255.255.255 , 100 , The world part 2 |
Of course you'd need a local server in this case... I think. Creating yer blocklistA good blocklist should contain IPs of known offenders from a public blocklist. A good one to start with is the peerguardian blocklist. Of course, you could always just use peerguardian instead of eMule for filtering, but that's beside the point. At Peerguardian, click on the IP database and download the GUARDING.P2P. If you open the file, you'll notice that it's a similar but different format than ipfilter.dat. So what you need to do is head on over to bluetack.co.uk, which has Bluetack's blocklist converter. --Using Bluetack's blocklist converter-- The official instructions can be found here. If you use a local proxy filter, like proxomitron, bypass it beforehand. Also, you might have problems with less than Internet Explorer 5.5. Now, you need to open your guarding.p2p file, select all of it, and copy and paste it into the 'Source File' box of the converter. Under 'Options', change the source format to Peerguardian plain text and change the output format to eMule. You should also sort by IP and merge overlapping ranges. Now, convert, copy the output, and paste it in your ipfilter.dat below the header. If you have several different blocklists that you want to merge together, convert them one at a time from their respective formats to eMule format, then paste them all together in the 'Source File' box and choose IP sorting and merge overlapping ranges. URLs of some other blocklist sources can be found in the Resources section, above. I suggest keeping an eye on access levels of new entries, however, and editing them to your liking before using them. Even if you don't think you'll ever need to block a particular range, it doesn't hurt to keep it in the list with a high access level for future reference. Remember that an access level of less than 127, by default, is blocked and higher is allowed. So don't come post here whining about your ISP being on public blocklists when it's set to an allowed level by default. Beware of blocklists that have a default low access level of large ranges. It's fun to have a little power complex as you block off the entire western hemisphere, but not if you only meant to cover a tiny subnet with 20 computers. ARIN or RIPE can be used to look for fun new offenders for your blocklist or to check the veracity of existing ranges. This is all up to you. But you better know who you are blocking, or you'll end up losing a ton of sources. Not only that, but some people have found some very fat-piped, well-intentioned uploaders blocked because their IP fell too close to that of an offending company. You don't need to check every blocklist entry, but keep an eye on ones that oftentimes show up in your debug log. As said in the IMPORTANT NOTE, above, sorting lists and removing the overlapping ranges is important. If you can't use bluetack's converter, paste it in a spreadsheet and autosort. Or if you live in the dark ages, sort it by hand. Or, hell, don't sort it. Go watch the TV while the rest of us sort our lists. I should also mention that you should backup ipfilter.dat before screwing with it or adding new entries. MonitoringWhen done editing, be sure to refresh the filter, and keep an eye on your debug log. You can have the log automatically save to a local file in Extended Settings. I suggest occasionally searching for filtered entries and clearing the log. You then may wanna tweak some things, or go and post about how scary it is to see the MPAA being filtered from your mule. When you do use notepad or whatever and search using the word 'filtered', you might be annoyed at a lot of unimportant entries, so I suggest putting some keyword in the descriptions of all your really important IP ranges, like "066.035.250.203 - 066.035.250.203 , 200 , TrypsinSucks Evil corp". Then you can just search for TrypsinSucks and you'll only find your important entries. If you frequently merge blocklists, it might be a good idea to note the URLs and date modified in the header of ipfilter.dat. Just another reminder to watch those overlapping ranges. If someone is being an ass to you in the future, take their ID and convert it to their IP and block it! An ID to IP converter is found at http://ocbmaurice.dyndns.org/code/id.html I suggest saving this page locally as it's hard to access. Alternatively, if you're an elitist or Rain Man, calculate it manually. I doubt that such a person would have read this far unless it was some sort of torture, though. Possibilities:-It would be nice to be able to see usernames and userhashes of banned IPs, if possible. -Filtering by userhashes and other identifying info -Allowing the use of a filter that rejects all except those "allowed". Note: The cheesy way of doing the latter is as the following: CODE | 000.000.000.000 - 009.255.255.255 , 100 , The world part 1 010.000.000.000 - 010.000.000.025 , 200 , Only trusted ISP 010.000.000.026 - 255.255.255.255 , 100 , The world part 2 |
Several months ago, some eMule forum goers and I tried creating a comprehensive list like this, only allowing trusted ISPs. It was a pain in the butt and we gave up with a gigantic allow list and 2/3rds of sources being rejected. But it might be worth a shot to the ultra paranoid person. There's a lot of ISPs in the world.
Comments? Suggestions?
--Trypsin
|