Guy called in:

Guy: hello, i can't seem to login to the sql database, could you check if the ip whitelist went right? It's on the *names server* server.
Me: *checks if guy is calling from an authorized number* - nope.
Me: I'm sorry but you're not calling from an authorized number so I can't check that for you!
Guy: no you don't understand. I don't want any of this not-authorized bullshit, I just want a solution for this right now.
Me: and I just want you to call from an authorized number.

Yeah, I actually said that. He wasn't very happy 😅

I'm still employed by the way 🤣

You can't even make this shit up.

The British NCSC is stopping with the terms "blacklist" and "whitelist" because it would be racist...

Fucking oversensitive cocksuckers.

A client called today because their email wasn't arriving at the receipants inbox but bouncing back with a 'poor MTA rating' error.

Checked about every blacklist I know and our server was definitely not blacklisted. Must be the receipants host which for some reason was blacklisting his specific email address.

Told the client that it wasn't a problem on our side and that he had to request a whitelist himself (we'd do it but it wasn't a specific server problem so we're not going to spend time on that).

Fair enough, he'd do that.

Calls back. "Well, the other party says that your server definitely has a poor rating, it's on your side!!"

Alright, this is getting annoying. Gave him a few blacklist checking sites links and told him to run his domain AND our server IP through it. Indeed came back completely clean.

"But the other party said it's poor rating on your side so I'd think tha........"

YEAH WHY DON'T YOU SHOVE THAT OTHER PARTY UP YOUR FUCKING ASS. I'VE SHOWN YOU PROOF THAT IT'S DEFINITELY NOT ON OUR FUCKING SIDE, EXPLAINED IT TO YOU AND SO ON. MAYBE, FOR ONE FUCKING SECOND, TAKE INTO CONSIDERATION THAT THE OTHER PARTY IS FUCKING LYING?!?!?

FUCK OFF.

I just helped one of our cleaners get Internet since the management whitelisted devices that can get WiFi access.

I believe that anyone, regardless of position, must have equal access to the resources in this company.

*CTO in panic, as always, invites everyone to the war room*

CTO: We have a MAJOR problem where 0.0001% of our customers are not receiving SMS confirmations.

Me: Cool. But, 0.0001% is very less compared to the other problems we are solving.

CTO: You don't understand, this is critical issue that needs to be addressed immediately.

Me: But even those.0.0001% customers are receiving e-mail confirmations, so this is not even blocker as we have other channels working.

CTO: I am emotional at this point. You need to prioritise this now.

Me: Okay, do we know the root cause of this problem?

Engineering head: we have blacklisted those numbers in past as our system detected them abusing our platform.

Me: Cool. Let's whitelist them, nothing much to worry here.

CTO: Floyd, you need to understand that 0.0001% of the customers are not receiving the SMS and the solution you are proposing is incorrect.

Me: Okay, what do you suggest?

CTO: We stop sending the SMS to all the customers.

Everyone on the call: 😨

Data scientist: we need to whitelist a pod to connect to a database
Me: Whitelist? We don't use whitelists on private databases
DS: It's the new data warehouse database
Me: is it on <X> VPC?
DS: I'm not sure what that means but its ip is <real world ipv4>
Me: Are you hosting a publicly accessible database with all our end users information?!
DS: ...
Me: There goes our SOC2 audit controls...
DS: how long until you can white list it?
Me: I won't be whitelisting it. You need to put it on a private VPC and peer with the cluster, you'll have to rebuild all the Terraform and redeploy
DS: We didn't use Terraform because it takes too long, just white list the pods IP.
Me: No. I'm contacting the CISO and CTO...

HO. LY. SHIT.

So this gig I got myself into, they have a whitelist of IP addresses that are allowed to access their web server. It's work-at-home. We just got a new internet provider, and it looks like I get a different public IP address everytime I disconnect and connect to the WIFI. And since it looks like the way they work on their codebase is that you either edit the files right on the server or you download the files that you need to work on, make the changes, and then re-upload the file back to the server and refresh the website to see the changes, now I can't access the server because I get different IP addresses. And it's highly inconvenient to keep emailing them to add IP addresses to the whitelist.

No source control, just straight-up download/upload from/to the server. Like, srsly. So that also means debugging is extremely hard for me because one, they use ColdFusion and I've never used that shit before and two, how the hell do you debug with this style of work?

I just started this last Tuesday, and I already want to call it quits. This is just a pain in the ass and not worth my time. I'll be glad to just go back to driving Lyft/Uber to make money while I look for a full-time, PROPER job.

By the way, can I do that to a contracting job? Just call it quits when you haven't even finished your first task? How does this work?

A conversation with my friend:

Me: Sure, I’ll whitelist you. What’s your IP?

Friend: I think it’s localhost.

Me: ...

One of our internal customers to my team: "We need this new feature to be implemented as soon as possible! It's super urgent!! Work on it asap!! PEOPLE ARE DYING!!"

Us: "Ok, we'll prioritize this feature and deliver it as soon as we can"

Them: "Is it ready yet?"

Them: "Is it ready yet?"

Them: "Is it ready yet?"

Them: "Is it ready yet?"

... One month later ...

Them: "Is it ready yet?"

Us: "We're done! We implemented everything as promised! Please give us your credentials so that we can whitelist you and you can start using the new service"

Them: "Okay, we will get back to you"

... Two months have passed since then and still not a single word from them. I'm starting to wonder: are they still alive? 🤔

Root gets ignored.

I've been working on this monster ticket for a week and a half now (five days plus other tickets). It involves removing all foreign keys from mass assignment (create, update, save, ...), which breaks 1780 specs.

For those of you who don't know, this is part of how rails works. If you create a Page object, you specify the book_id of its parent Book so they're linked. (If you don't, they're orphans.) Example: `Page.create(text: params[:text], book_id: params[:book_id], ...)` or more simply: `Page.create(params)`

Obviously removing the ability to do this is problematic. The "solution" is to create the object without the book_id, save it, then set the book_id and save it again. Two roundtrips. bad.

I came up with a solution early last week that, while it doesn't resolve the security warnings, it does fix the actual security issue: whitelisting what params users are allowed to send, and validating them. (StrongParams + validation). I had a 1:1 with my boss today about this ticket, and I told him about that solution. He sort of hand-waved it away and said it wouldn't work because <lots of unrelated things>. huh.

He worked through a failed spec to see what the ticket was about, and eventually (20 minutes later) ran into the same issues Idid, and said "there's no way around this" (meaning what security wants won't actually help).

I remembered that Ruby has a `taint` state tracking, and realized I could use that to write a super elegant drop-in solution: some Rack middleware or a StrongParams monkeypatch to mark all foreign keys from user-input as tainted (so devs can validate and un-taint them), and also monkeypatch ACtiveRecord's create/save/update/etc. to raise an exception when seeing tainted data. I brought this up, and he searched for it. we discovered someone had already build this (not surprising), but also that Ruby2.7 deprecates the `taint` mechanism literally "because nobody uses it." joy. Boss also somehow thought I came up with it because I saw the other person's implementation, despite us searching for it because I brought it up? 🤨

Foregoing that, we looked up more possibilities, and he saw the whitelist+validation pattern quite a few more times, which he quickly dimissed as bad, and eventually decided that we "need to noodle on it for awhile" and come up with something else.

Shortly (seriously 3-5 minutes) after the call, he said that the StrongParams (whitelist) plus validation makes the most sense and is the approach we should use.

ffs.
I came up with that last week and he said no.
I brought it up multiple times during our call and he said it was bad or simply talked over me. He saw lots of examples in the wild and said it was bad. I came up with a better, more elegant solution, and he credited someone else. then he decided after the call that the StrongParams idea he came up with (?!) was better.

jfc i'm getting pissy again.

I'm fixing a security exploit, and it's a goddamn mountain of fuckups.

First, some idiot (read: the legendary dev himself) decided to use a gem to do some basic fucking searching instead of writing a simple fucking query.

Second, security ... didn't just drop the ball, they shit on it and flushed it down the toilet. The gem in question allows users to search by FUCKING EVERYTHING on EVERY FUCKING TABLE IN THE DB using really nice tools, actually, that let you do fancy things like traverse all the internal associations to find the users table, then list all users whose password reset hashes begin with "a" then "ab" then "abc" ... Want to steal an account? Hell, want to automate stealing all accounts? Only takes a few hundred requests apiece! Oooh, there's CC data, too, and its encryption keys!

Third, the gem does actually allow whitelisting associations, methods, etc. but ... well, the documentation actually recommends against it for whatever fucking reason, and that whitelisting is about as fine-grained as a club. You wanna restrict it to accessing the "name" column, but it needs to access both the "site" and "user" tables? Cool, users can now access site.name AND user.name... which is PII and totally leads to hefty fines. Thanks!

Fourth. If the gem can't access something thanks to the whitelist, it doesn't catch the exception and give you a useful error message or anything, no way. It just throws NoMethodErrors because fuck you. Good luck figuring out what they mean, especially if you have no idea you're even using the fucking thing.

Fifth. Thanks to the follower mentality prevalent in this hellhole, this shit is now used in a lot of places (and all indirectly!) so there's no searching for uses. Once I banhammer everything... well, loads of shit is going to break, and I won't have a fucking clue where because very few of these brainless sheep write decent test coverage (or even fucking write view tests), so I'll be doing tons of manual fucking testing. Oh, and I only have a week to finish everything, because fucking of course.

So, in summary. The stupid and lazy (and legendary!) dev fucked up. The stupid gem's author fucked up, and kept fucking up. The stupid devs followed the first fuckup's lead and repeated his fuck up, and fucked up on their own some more. It's fuckups all the fucking way down.

A third party manages access to a web application I’m supposed to begin using. While accessible from the Internet, they whitelist IP addresses, so it rejects the login credentials if not coming from a whitelisted address.

I provided my external IP address to their support team but the application was not letting me in, so I called their help desk. A support technician said that my IP address was 10.x.x.x, a private IP address. I’m not on the same network as this application, so I did a quick check and realized they are reading my internal IP address from my X-FORWARDED-FOR (XFF) header (yes, my employer exposes this).

I explain to him that the application is incorrectly reading my external (connection) IP address and is instead reading my internal IP address from my XFF header. I also explain that it’s not a good idea to add a private IP address to their whitelist as it somewhat defeats the point as anyone can assign that IP address within their network and expose it via an XFF header.

After talking to numerous support personnel, I came to the conclusion that not a single support person on their team understands basic networking and private IP address ranges.

I finally just said, “Fine. Go ahead and add my internal IP address but keep in mind it will change a lot.”

He then proceeded to “explain” to me how my IP address is assigned by my ISP and should change very infrequently. I explained to him that the IP address their application is reading is actually assigned by DHCP inside my network, but I was clearly wasting my breath.

TIL that TI has no goddamn chill

Texas Instruments released the TI-83+ calculator model in 1996. The Z80 was not at all stock and has the following features:

- 3 access levels (priveleged kernel, kernel, user)
- Locking Flash (R/O when locked for most pages, some pages protected and unreadable as well, only unlockable from protected Flash pages by reading a certain order of bits then setting a port)
- Locking hardware ports (lock state always the same as flash)
- Customizable execution whitelist range (via locked ports)
- Configurable hardware (Flash/RAM size changeable in software via locked ports, max RAM is 8MB which is fucking mental compared to the 64k in the thing)
- Userland virtualization (always-on)
- Reset on violation of security model
- Multithreading
- Software-overclockable CPU
- Hardware MD5 and cert handling

TI made a calculator in 1996 with security features PCs wouldn't see until like 2010 what the *actual* fuck

Great finaly get away on vacation 2weeks of just realaxing, 30min before leaving to the airport i get a sms from my server one of my main hard drives fail. No problem just need to swap the drive and start the recover at the airport.
At the airport i connect to my home vpn and start the recovery everything works fine just need to restart the server when done ~12h. next day im in the hotell and my vpn does not accept my connection, okey might be the hotell that block vpn connections i try my external vpn and it works and i try to connect home when i get a lovley text from my server "login attempt has failed from ip:x" then it hits me i have forgotten to add to whitelist. Outsmarted myself to just let i be.
So i finally get 2 weeks off and nothing i can do about it.

If you think changing "white/blacklist" to "allow/denylist" will help inclusivity you're a fucking racist moron who is actively hurting public perception of POCs and minorities.

You are the direct reason people scoff at the idea of modern feminism and racial equality. You've made the entire topic a fucking joke and reduced it to bite-sized, pseudo-progressive drivel that no sane person ever wants to support.

*looks for some reviews of a dentist*
Yelp: ah yes we have that.
*Enters Yelp site*
"Oh noes, you have JavaScript disabled! You should enable it because it can make websites really cool (why does this seem like a front-end wank), gives you compliments when you had a bad day (fuck you Yelp), can save the world from tragedy on its own (does savetheworld.js exist yet?). But that you'll never realize anymore. Because YOU disabled JavaScript, filthy piece of shit you are. So enable JavaScript so that we can have so much more fun!"

Ah, not providing any content that I visited your shitty site for, guilt-tripping me into enabling JavaScript for your dribble, and on top of that saying that we'll have fun when I whitelist you. Fun ey.. you know what'd be fun Yelp? For me to go there and shove my dick into every one of your front-end and marketing cunts' faces until they turn blue. Now THAT would be a lot of fun!!!

!rant
TODAY WAS A SUCCESS!
-learned how to forward ports
-hosting a minecraft server
-made that stupid HP stream USEFUL
-i actually feel good about myself

note: modded server. You'll need Mantle (1.7.10), Tinker's Construct (1.7.10) and Ultra Block Compression (1.7.10).

pretty sure whitelist is disabled. the max is 50 players, not sure how good the connection will be. be nice to the ops, YoungWolves and Mehrsun

ip: 66.243.225.51
(default port)

again please be polite, the two OPs are not techy at all, but very nice gals

Our marketing just change the blacklist/whitelist terms to blocklist/allowlist to make it more "neutral" following change in github "master branch" to "main branch"

When will this end, people ?
:/

Aaaa stop this issue with renaming everything furcubimofawasggkdjgdkkf whitelist blacklist git blame and the master of em all, the main branch

Was doing white listing and asked for the address they need whitelisted. Was given the street address 😐.

Windows updates are fucking trash. Even if you disable built-in Windows spyware services, they tend to switch themselves on again.

Instead of engaging in that uphill battle, just use a firewall. Whitelist apps you use, and Windows will have no way to update itself or to call home even when the spyware is on.

On my gaming laptop I use Portmaster firewall. It’s free, open source AND has a good UI.

So one of the apps I develop and maintain is going to get penetration tested.

I recieved an email if I could whitelist all their ips so they could get acces to the system. Without any further details.

Like wtf? Arent you supposed to be testing if you can get acces xD

Next thing they will be asking passwords and keys xD and if I could build in a backdoor.

Guess who just read content off a site out of browser dev tools because the page displayed an intrusive 'whitelist us from your adblocker' modal

"I whitelist websites with non intrusive ads"
Oh? I bet you bought winRAR too.

Public transport system in my city has the following option for monthly subscription: you can register your DEBIT/CREDIT CARD in some sort of whitelist and use it on the doors to access the subway or buses.

They. Save. Your. Card.

So I decided to start using NoScript in Firefox recently, and it's been the most wonderful and annoying experience.

Wonderful - Easy to use whitelist on a domain basis makes it easy to un-break websites I trust while keeping potential malicious JS from other domains out.'

Annoying - Now I get why all the graybeards on Hacker News hate what the modern web has become

So today was interesting.

I had to extract the domain from an email address and compare the domain to a hard coded whitelist, nothing difficult, fuck takes 2 min really.

Except the project starts throwing 500 errors for no god damn reason, like seriously, I double check syntax, nope looks fine, run pho's syntax checker on the file
# php -l /path/to/file.php

Nope says it's all good.
Checks error log on server -> no log

OoooooooooKay then.

Comments out the few lines, saves, errors gone.

remove comments, error comes back.

Do this a few times, and magically the fucking thing stops throwing errors, now I haven't actually changed anything, and I know this project is so fragile I don't know how it stays running at times but fuck me this is a painful joke.

master -> main/default/primary
slave -> secondary
blacklist -> deny list
whitelist -> allow list

Let the age of newspeak commence!

Wow or wtf to these banks API. was integrating an API for a service which accept JSON input.
Okay fair enough, that would be fine
Spent an hour writing code(purescript) most of time spent was on writing Types based on the API doc. after that okay let me test the API it failed.
I was what happened? So tested the API from postman with the payload from the doc, it worked. What how?
used a JSON diff to compare the payload from postman and the log. Looked same to me after spending few hours checking what is wrong with it .trying changing value to pasting the body of the log request in postman and trying everything failed.
Later went to the original working payload provided by them and changing the order. It started throwing error. I was like wait what?
It must be only on there UAT. created a payload with production creds and hoping to our production server (they have IP whitelist) ran the curl with proper payload as expected it worked. Later for same payload changed the order or one key and tried it failed.
Just why????
I don't want to create a JSON with keys on specific order. Also it's not even sorted order.

Without getting into politics as much as I can, is there any black sw developer who is genuinely hurt by usage of blacklist/whitelist, master/slave terminology? Or is this sudden sensitivity a bullshit from white liberal silicon valley types who live in the most white populated, rich areas who have no lower class black/hispanic friends but still get offended on behalf of them?

So what's up with HR people pushing people to stop using terms like master/slave and blacklist/whitelist because it's offensive to people? I mean this is simply censorship out of context. It's not blatantly hating on someone.

Did they did even ask concerned people their opinion? Is this really gonna help professional inclusion? Censoring terms will not solve issues if you cannot talk about it in an honest manner.

Fuck sake some HR people are paid for doing bullshit.

Currently working on a web platform for a building management company for the last 6 months.

Setup web server, database and developed the whole using laravel and vue.

They are in the testing phase now, so I implemented IPSec so that they can only access it from their office.

Thing is, they don’t have a static IP, so when they had to switch over to a backup connection yesterday, I had to add their new IP in my whitelist.

Today I get and email from their manager, saying that after a discussion he had with his assistant, the web app is not in the “cloud”!!! He got that because I had to “do something” to restore access to it yesterday and because “there isn’t an icon you can double-click” on each employees’ desktop!!!

Don’t even know how to respond to that!!!

Background: I am currently working with a DB that has websocket functionality ("notify a client on insert/etc."). However, you do have to whitelist tables in order to use them with sockets.

I wanted to optimize my code and didn't want to mess with my coworkers dev-data, therefore I duplicated the table. After improving some small things I noticed that the interface does not change with new socket data. I have spent the last hour or so trying to figure out where I broke it.

I just realized that I forgot to whitelist that duplicated table 😐 Most relieving moment today 😅

Bonus side effect: The code is much cleaner now since I refactored a lot of the realtime-logic in order to understand it/fix the bug.

I'm absolutely exhausted...
Just spent the past 2 days restructuring our SAAS products entire server network on AWS just so we can have a static IP address for all our server instances passing through an NAT....because we need to integrate with another service that only allows you to access their API if they whitelist your IP.

Just posted this in another thread, but i think you'll all like it too:

I once had a dev who was allowing his site elements to be embedded everywhere in the world (intentional) and it was vulnerable to clickjacking (not intentional). I told him to restrict frame origin and then implement a whitelist.

My man comes back a month later with this issue of someone in google sites not being able to embed the element. GOOGLE FUCKING SITES!!!!! I didnt even know that shit existed! So natually i go through all the extremely in depth and nuanced explanations first: we start looking at web traffic logs and find out that its not the google site name thats trying to access the element, but one of google's web crawler-type things. Whatever. Whitelist that url. Nothing.

Another weird thing was the way that google sites referenced the iframe was a copy of it stored in a google subsite???? Something like "googleusercontent.com" instead of the actual site we were referencing. Whatever. Whitelisted it. Nothing.

We even looked at other solutions like opening the whitelist completely for a span of time to test to see if we could get it to work without the whitelist, as the dev was convinced that the whitelist was the issue. It STILL didnt work!

Because of this development i got more frustrated because this wasnt tested beforehand, and finally asked the question: do other web template sites have this issue like squarespace or wix?

Nope. Just google sites.

We concluded its not an issue with the whitelist, but merely an issue with either google sites or the way the webapp is designed, but considering it works on LITERALLY ANYTHING ELSE i am unsure that the latter is the answer.

Can we PLEASE once and for all redesign email and texting to be whitelist only?

Seriously, blacklisting doesn't work. We still have assholes that just because they know a line of text or a phone number can harass you forever. It IS harassment and needs to stop. We can always have the option of throw away blacklist addresses, but lets make primary email and phone numbers whitelist only as a standard feature. The business of SPAM would be dead overnight.

How fucking sucking difficult is it too setup a static ip in AWS on a loadbalancer??? I spend the whole day figuring out how to use the nat gateway or other means and it still doesn't work. Debugging is almost impossible because they give you zero logs.

And all of this because a client wants to work with a whitelist for their shitty system on location.

Ugh. Homeoffice tomorrow. Would be awesome if the servers that I need to connect to work on a project wouldn't be limited to our companies IPs only and the VPN connection would be a bit more stable.

the stress of I don't want to lose git history by renaming whitelist allowlist in existing code but i also don't want to get in trouble from people if they catch me using whitelist for new additions to match what's already in the file

A question to all software security specialists of devRant. Please, take it serious.

Is it fundamentally possible to restrict a SQL database like Postgres in a way that unintended SQL queries are impossible to execute? Perhaps in some kind of whitelist fashion. Is it possible to achieve the kind of security that will be just fine exposed to the outside world akin to "SQL queries in onClick handlers" scenario?

Or is this an uphill battle of never being able to moderate an infinite set of possible fraudulent queries?

Was asked today what type of service ticket was needed for a domain level whitelist request.. gave them the answer, and they tell me, “oh I don’t think I want to do that, I’ll just create a generic ticket and go from there.”

Why ask if you are going to do it your own way anyways..

This happens to often in all parts of IT. Someone consults you, tells you your suggestion sounds difficult, then try’s to take a short cut..

Good luck to them.. so glad it’s Friday! ✌️

Guessing my rant free streak is over. Trying to connect to a mongo atlas cluster. Just migrated from mlab as mongo Inc is discontinuing the heroku add on.
Migration went well. I can connect to atlas cluster via mongo shell.
Reactive mongo claims it supports dns seed list. I add mongodb+srv connection string. Doesn't work.
I go back to atlas and allow all ips access (migrating staging dB first to make sure all is well so I can whitelist all ips) - > send a request-> mongo error. No primary node is available.
Disconnect from my network, connect to another network, same thing. I push the connection string to my server, test using an ssl connection to make a request, still no primary node available. I am about to lose my mind.

Spent my Sunday building a container program for the Minecraft Bedrock dedicated server because I wanted to run it as a Windows service so my partner could play our local multiplayer realm while I am offline.

If you just run the standard executable as a service it risks world corruption on exit and requires a restart when changing whitelist or permission settings.

Pretty happy with how it turned out.

Gf asked me to help her with getting science articles. She had some page that her university suggested students to use, but had troubles with downloading documents.

At first I was like "Hey, it says use IE, other browsers are not supported. Thats bad but.. whatever". Then it popped that she needs Java enabled - well, I guess we have to... Even updated it cause it was needed.
Restarted IE, clicked download again and... Java security blocked web app... Eh, I don't trust it but whatever, just let's check what if I whitelist it.
Got some basic view, 1 dropdown list for "file name format" (like anybody cares), path selection where to save file, and some checkbox. Lame, but let's just leave it behind.
Downloaded, it turned out to be html file, not pdf, fishy that it was single file, but hoped for some text styled with css, so I opened it and got redirected to page where I clicked download.
Checked that file content - html with empty body and script tag containing js that redirects on load.

Srsly?😐

I have a windows vps with a server that I want to protect from DDoS and hide from outside world. Is there a way by using PHP IIS webserver on another vps to somehow whitelist ips or redirect only clean traffic to my windows vps?

Help is welcome - I don't get it x.x
Just started scripting and can't find it on google:
Got a little whitelist with urls in it and a huge list with urls in it.

whitelist format:
foobar.com
barfoo.au

format huge list:
blabla=/foobar.com/wo.op
blabla=/barfoo.au/wo.op
blabla=/barfoo.crazy.au/wo.op

blabla/barfoo.crazy/wo.op
should stay in the file.

Now I want to delete the entries of the whitelist from huge list.
I have no clue how I can get the
foobar.com
into
sed -i '/foobar\.com/d' $file
to make it work in my script x.x

i said blacklist/whitelist without thinking about it instead of deny/allow, and got gently reminded about it, oof

Need advice about protecting ddos via iptables and whitelisting. Currently I launched my gameserver and am fighting against a massive attack of botnets. Problem was solved by closing all ports on my gameserver linux machine and shipping game.exe with injected c++ socket client. So basically only gamers who launch my game exe are being added to firewall iptables via the socket client that is provided in the game exe. If some ddosers still manage to get inside and ddos then my protection is good enough to handle attacks from whitelisted ips from inside. Now I have another problem. Lots of players have problems and for some reason shipped c++ client fails to connect to my socketserver. Currently my solution was to provide support in all contact channels (facebook,skype,email) and add those peoples ips to whitelist manually. My best solution would be to make a button in website which you can click and your ip is whitelisted auromatically. However if it will be so easy then botnets can whitelist themselves as well. Can you advice me how I could handle whitelisting my players through web or some other exe in a way that it cant be replicated by botnets?

Question about linux iptables. I am currently blocking all access and whitelisting only when my users launch my software. When software is launched a socket client is also launched, it connects to socket server, identifies itself with a password and disconnects. If given password by socket client is correct, then socket server whitelists the users IP by executing the following command: " iptables -I INPUT -s userIP -j ACCEPT".

My problem is that now I have lots of duplicates of IP's whitelisted and as far as I've heard I should not go over 25k iptable rules.

So my question is how to check if ip is already whitelisted, in order to avoid duplicate iptable rules for for same IP?

Obvious solution would be to store whitelist somewhere (mysql/txt) and double check before whitelisting ip, but maybe there is an easier way to do this?