Instead of escping the IPs I find it simpler to use a network/nnn or network/netmask syntax.

So ...

deny from 219\.(7[6-7])\.
deny from 218\.250\.
deny from 218\.(10[2-3])\.
deny from 211\.157\.(10[0-9]¦11[0-9]¦12[0-7])\.

becomes

deny from 219.76.0.0/15
deny from 218.250.0.0/16
deny from 218.102.0.0/15
deny from 211.157.96.0/19

which I find is less prone to mistakes.

> Order deny, allow

This is incorrect; allow and deny are reversed. Read the description of "Order" directive in the Apache mod_access [httpd.apache.org] documentation very carefully.

Jim

Hello,

Thanks for the responses.

jdMorgan: I have read the page you quoted before, obviously I am misunderstanding:

"Deny,Allow
The Deny directives are evaluated before the Allow directives. Access is allowed by default. Any client which does not match a Deny directive or does match an Allow directive will be allowed access to the server."

So the way I understand this: any client specifically denied will be denied, and any client (I've allowed 'ALL') matching an allow directive will be let in. Are you saying that the 'Allow All' that I've specified will override the previously read denies, and negate them, so the logic then being:

Have the server read an "allow all" first and then one by one remove any ip denies I explicitly state.

In a previous version I posted on my hosts forum, I HAD Allow,Deny (with everything else in my previous post exactly the same), and they told me I had it backwards then -- so everytime I read the apache documentation I see another possible way of understanding it!

Please clear this up for me, I know from your posts that you are very knowledgeable.

uncle_bob: thanks for the tip, I will do some reasearch on network/netmask syntax -- I am unfamiliar with this.

Thank you.

> so everytime I read the apache documentation I see another possible way of understanding it!

Priority-handling is a tough subject, but a critical reading of the descriptions of the two possible Order options will reveal their operation.

Deny,Allow
The Deny directives are evaluated before the Allow directives. Access is allowed by default. Any client which does not match a Deny directive or does match an Allow directive will be allowed access to the server."

You have specified "Allow all". The "All" token will match *any* IP address, including the IP addresses you wish to exclude, and so the Deny will be overridden, and those IPs will be allowed. Read the description of Allow, deny with the same critical eye, and you will see that it does what you want it to do:

Allow,Deny
The Allow directives are evaluated before the Deny directives. Access is denied by default. Any client which does not match an Allow directive or does match a Deny directive will be denied access to the server.

Note that the order in which you specify the individual Allow and Deny directives has no effect; the two groups of all Allows and all Denys are processed in the order set by the Order directive, and are not processed in the order they appear in the file. That is,

Allow 123.
Deny 134.
Allow 234.
Allow all
Deny 145.

Is processed with Deny, allow as:

Deny 134.
Deny 145.
Allow 123.
Allow 234.
Allow all

And with Allow, deny, the list is processed as:

Allow 123.
Allow 234.
Allow all
Deny 134.
Deny 145.

However, there is more to it than just the list processing order: Where "overlaps" occur between IP ranges, or if an "all" token is used, then the behaviour of which overrides which is also different, as described in the quotes above. With Deny,allow, the later-processed "Allow All" overrides your earlier denies, and allows them access.

Jim

"With Deny,allow, the later-processed "Allow All" overrides your earlier denies, and allows them access. "

That is the critical part that I was unsure of. Thanks for clearing that up for me, Jim.

Regards,
p