Please Help Me with IP Deny Directives

[skeezix]

I used the BH IP Deny feature to deny one IP access to one of my add-on domains, then looked in the .htaccess file for that add-on domain and saw the following:

Code:

 
Options All -Indexes
<Files 403.shtml>
order allow,deny
allow from all
</Files>
deny from 33.33.333.33

I think this means (a) do not list folder contents; (b) allow everybody to see and read the 403.shtml file; (c) do not allow 33.33.333.33 to access files in this folder and its subfolders (where .htaccess lives).

Question 1: Why is 'deny' directive outside the <Files></Files> part?

Question 2: Why is the 403 file specifically allowed but not 402 and 404 files are not specifically allowed?

Question 3: Doesn't the following code have the same effect?:

Code:

<limit GET POST PUT>
order deny,allow
deny from 33.333.33.33
allow from all
</limit>

Question 4: Why did the wizard also add the 'deny from...' directive to the .htaccess in my root or home directory?

and finally,

I tried to block all IPs between 85.0.0.0 and 85.255.0.0 by adding:

Code:

deny from 85.0/255

but that produced Server 500 errors when attempting to access any of my domains.

Question 5: What is the shortest way to specify all IPs between 85.0.0.0 through 85.255.255.255?

[Basil]

1. If it were between the <files> bit it would deny access from the 403 file.

2. The 403 file is allowed because it's what the denied IP address gets redirected to, if it's denied too then they get forbidden from accessing the Forbidden message.

3. Limit isn't necessary. All you need is

Code:

order allow,deny
allow from all
deny from 33.33.333.33

but if you do that, they won't have access to the 'access forbidden' file.

4. I don't really know what the wizard does. If you want to restrict it to a specific domain you can use the directive "rewritecond %{http_host} ^(www\.)?example\.com$ [nc]"

5. "deny from 85."

[skeezix]

Thanks for your help. Is there a problem if the IPs I have denied are not allowed access to the 403.shtml file? Those IPs are sources of a lot of spam.

[Basil]

Some common error code definitions..
400 - Bad Request
401 - Unauthorized
403 - Forbidden
404 - Not found
500 - Internal server error

You can customize your error pages, so when a visitor tries to access a file that doesn't exist for example, they get served 404.shtml (or whatever ErrorDocument 404 is set to). If they try to access something that they're forbidden from accessing, they get served the 403.shtml file. The custom file is sitting in your public_html folder, so that you can mess with how it looks. If you go and deny access to everything for somebody, they can't see your 403.shtml file. When this happens the server defaults to it's built-in 403 error message. I don't know if this actually causes an additional server error or not, but it probably does, so I'd allow access to the 403 file if only to conserve a tiny bit of resources.

[skeezix]

I'll buy that. Thanks for the explanation - it clears up the mystery for me.