In times that everything connected to the internet is under constant attacks in order to abuse, spread spam, install malware and other illegal activities, a maintained Firewall is nowadays a requirement to keep your legitimate visitors and registered users safe.
Instead of trying to identify and catch an abuser in action, ochSimpleFirewall utilizes blocklists (lists of IP Addresses / IP Ranges) of known offenders: people / computers that are identified as abuser, spammer, hacker or other illegal practices by websites, tools and security services from all over the world. ochSimpleFirewall harnesses the 'intellect' of a lot of smart and constantly evolving detection systems instead of trying to come up with a detection algorithm by itself.
So when somebody is caught sending spam into a forum, his IP Address will be placed on a blocklist by services like stopforumspam, cleantalk or botscout and ochSimpleFirewall will pick up that blocklist and block that person before he can give your site a try.
Challenge: How to handle False Positives
So although the blocklists are maintained on a daily / hourly basis and are very accurate, it is still possible that a legitimate visitor is blocked on your site: a so called false positive.
False positives occur when an IP Address is marked as malicious while it is not, or when you get a new IP address for your computer / network that previously was participating in malicious activities, or (more likely) your device is infected with malware doing al sorts of illegal stuff without you knowing it!
The visitor will be (depending on how you configured the block mode in ochSimpleFirewall) either shown a white page, a block message or redirected to another website. He cannot use your website!
It is then up to the visitor to contact you as site maintainer and ask why he is blocked. You can then investigate and decide if you want to place the IP address on the whitelist: granting the visitor access again to your website. The success of this process depends highly on the visitor: is he willing to contact you? It also depends on the speed at which you can take action to whitelist this visitor? Most likely the visitor doesn't contact you and if he does, your action is likely to late.
The visitor will leave your site (as it doesn't work for him), and possibly not come back.
Solution: New block mode > Allow Override
Starting from version 0.3.0 of ochSimpleFirewall you can now configure the block mode with a 4th mode: Allow Override.
When you configure this block mode and the user is blocked by ochSimpleFirewall, he is directly prompted with a form. After completing the captcha and submitting the form, the user his current browser session is immediately whitelisted and he can use your website as if he wasn't blocked.
Note that only the current browser session is whitelisted, so when the user closes his browser and then decides to visit your site again, he will be prompted again with the block form and needs to do a valid submit to be whitelisted for that new browser session.
IP addresses that are on the manual blacklist are never allowed to whitelist themselves! This is important as it gives you the means to totally block an IP address, catching those abusers that manually whitelist themselves.
In ochSimpleFirewall you can configure to be notified by email of any successful whitelist by a visitor: you will receive an email and based on the information in the email you can decide if you want to put this IP address on the whitelist, blacklist, or leave as is (user needs to manually whitelist himself over and over again). Also every (un)successful whitelist action will be logged.
Result: Happy (blocked) visitors!
So not only do you give your visitor invaluable information that his IP address is on a managed blocklist (the visitors computer can be infected with malware without him knowing it), You allow your visitor to identify himself as a legitimate 'human' (not a bot) and grant him (temporary) access!