Merge pull request #460 from guusdk/OF-1007

OF-1007: Supplement existing client-to-server whitelisting with blacklisting

src/i18n/openfire_i18n_cs_CZ.properties

@@ -2444,6 +2444,13 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
+
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_de.properties

@@ -2407,6 +2407,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_en.properties

@@ -1399,9 +1399,15 @@ reg.settings.only_registered_login=Only registered users may login.
 reg.settings.allowed_ips=Restrict Login
 reg.settings.allowed_ips_info=Use the form below to define the IP addresses or IP address ranges \
         that are allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
-        that clients will be able to connect from any IP address.
-reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
-reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+        that clients will be able to connect from any IP address (unless a blacklist is in place).
+reg.settings.ips_all=Restrict ALL (including anonymous) logins to these IP's:
+reg.settings.ips_anonymous=Restrict anonymous logins to these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 
 # Server db Page
 

src/i18n/openfire_i18n_es.properties

@@ -2465,6 +2465,12 @@ user.properties.isadmin=El usuario tiene privilegios de administrador.
 
 reg.settings.ips_all=Restringir TODOS los ingresos de estas IPs:
 reg.settings.ips_anonymous=Restringir ingresos anonimos de estas IPs:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Aceptar certificados auto-firmados. Server dialback sobre TLS esta habilitado.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_fr.properties

@@ -2020,6 +2020,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_ja_JP.properties

@@ -2391,6 +2391,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_nl.properties

@@ -2409,6 +2409,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_pl_PL.properties

@@ -2378,6 +2378,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_pt_BR.properties

@@ -2411,6 +2411,12 @@ user.properties.isadmin=User has administrative privileges.
 
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_pt_PT.properties

@@ -1381,6 +1381,12 @@ reg.settings.allowed_ips_info=Utilize o formul\u00e1rio abaixo para definir ende
         que os clientes est\u00e3o habilitados a ligar com qualquer IP.
 reg.settings.ips_all=Restringir TODAS (incluindo as anonimas) tentativas de acesso destes IP's:
 reg.settings.ips_anonymous=Restringir tentativas de acesso anonimas destes IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 
 # Server db Page
 

src/i18n/openfire_i18n_ru_RU.properties

@@ -821,6 +821,12 @@ reg.settings.inband_account_info=\ \u0412\u043D\u0443\u0442\u0440\u0435\u043D\u0
 reg.settings.info=\u0418\u0441\u043F\u043E\u043B\u044C\u0437\u0443\u0439\u0442\u0435 \u0444\u043E\u0440\u043C\u044B \u043D\u0438\u0436\u0435, \u0447\u0442\u043E\u0431\u044B \u0438\u0437\u043C\u0435\u043D\u044F\u0442\u044C \u0440\u0430\u0437\u043B\u0438\u0447\u043D\u044B\u0435 \u0430\u0441\u043F\u0435\u043A\u0442\u044B \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438 \u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u0435\u0439 \u0438 \u0432\u0445\u043E\u0434\u0430.
 reg.settings.ips_all=\u041E\u0433\u0440\u0430\u043D\u0438\u0447\u0438\u0442\u044C \u0434\u043E\u0441\u0442\u0443\u043F \u043A\u043E \u0432\u0441\u0435\u043C (\u0432 \u0442\u043E\u043C \u0447\u0438\u0441\u043B\u0435 \u0430\u043D\u043E\u043D\u0438\u043C\u043D\u044B\u043C) \u043B\u043E\u0433\u0438\u043D\u0430\u043C \u044D\u0442\u0438\u0445 IP's\:
 reg.settings.ips_anonymous=\u041E\u0433\u0440\u0430\u043D\u0438\u0447\u0438\u0442\u044C \u0430\u043D\u043E\u043D\u0438\u043C\u043D\u044B\u0435 \u043B\u043E\u0433\u0438\u043D\u044B \u044D\u0442\u0438\u0445 IP's\:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 reg.settings.not_auto_create=\u041F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u0438 \u043D\u0435 \u043C\u043E\u0433\u0443\u0442 \u0430\u0432\u0442\u043E\u043C\u0430\u0442\u0438\u0447\u0435\u0441\u043A\u0438 \u0441\u043E\u0437\u0434\u0430\u0432\u0430\u0442\u044C \u043D\u043E\u0432\u044B\u0435 \u0443\u0447\u0435\u0442\u043D\u044B\u0435 \u0437\u0430\u043F\u0438\u0441\u0438.
 reg.settings.only_registered_login=\u0422\u043E\u043B\u044C\u043A\u043E \u0437\u0430\u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0438\u0440\u043E\u0432\u0430\u043D\u043D\u044B\u0435 \u043F\u043E\u043B\u044C\u0437\u043E\u0432\u0430\u0442\u0435\u043B\u0438 \u043C\u043E\u0433\u0443\u0442 \u0432\u043E\u0439\u0442\u0438.
 reg.settings.title=\u041D\u0430\u0441\u0442\u0440\u043E\u0439\u043A\u0430 \u0440\u0435\u0433\u0438\u0441\u0442\u0440\u0430\u0446\u0438\u0438

src/i18n/openfire_i18n_sk.properties

@@ -2247,6 +2247,12 @@ security.audit.viewer.view_url=Nasledovn\u00fd URL odkazuje na prehliada\u010d z
 security.audit.viewer.view_url.url=URL
 reg.settings.ips_all=Obmedzi\u0165 V\u0160ETKY (vr\u00e1tane anonymn\u00fdch) prihl\u00e1sen\u00ed na tieto IP adresy:
 reg.settings.ips_anonymous=Obmedzi\u0165 anonymn\u00e9 prihl\u00e1senia na tieto IP adresy:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Akceptova\u0165 certifik\u00e1ty podp\u00edsan\u00e9 sebou sam\u00fd. Sp\u00e4tn\u00e9 volanie servera prostredn\u00edctvom TLS je teraz dostupn\u00e9.
 
 # Client Connections Settings page

src/i18n/openfire_i18n_zh_CN.properties

@@ -2303,6 +2303,12 @@ user.create.isadmin=\u662F\u5426\u4E3A\u7BA1\u7406\u5458?
 user.create.admin_info=\u6388\u4E88 Openfire \u7BA1\u7406\u6743\u9650
 reg.settings.ips_all=Restrict ALL (including anonymous) logins by these IP's:
 reg.settings.ips_anonymous=Restrict anonymous logins by these IP's:
+reg.settings.allowed_ips_blocked_info=Use the form below to define the IP addresses or IP address ranges \
+        that are not allowed to login. E.g.: 200.120.90.10, 200.125.80.*. Leaving the form empty means \
+        that clients will be able to connect from any IP address, unless a whitelist (see below) is in place. \
+        Note that entries on the 'blocked' list (here) will always take precedence over entries on the 'allowed' \
+        lists below.
+reg.settings.ips_blocked=Do not allow any logins from these IP's:
 ssl.settings.client.label_self-signed=Accept self-signed certificates. Server dialback over TLS is now available.
 
 # Client Connections Settings page

src/java/org/jivesoftware/openfire/handler/IQAuthHandler.java

@@ -330,26 +330,7 @@ public class IQAuthHandler extends IQHandler implements IQAuthInfo {
         IQ response = IQ.createResultIQ(packet);
         if (anonymousAllowed) {
             // Verify that client can connect from his IP address
-            boolean forbidAccess = false;
-            try {
-                String hostAddress = session.getConnection().getHostAddress();
-                if (!LocalClientSession.getAllowedAnonymIPs().isEmpty() &&
-                        !LocalClientSession.getAllowedAnonymIPs().containsKey(hostAddress)) {
-                    byte[] address = session.getConnection().getAddress();
-                    String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." +
-                            (address[2] & 0xff) +
-                            ".*";
-                    String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
-                    String range3 = (address[0] & 0xff) + ".*.*.*";
-                    if (!LocalClientSession.getAllowedAnonymIPs().containsKey(range1) &&
-                            !LocalClientSession.getAllowedAnonymIPs().containsKey(range2) &&
-                            !LocalClientSession.getAllowedAnonymIPs().containsKey(range3)) {
-                        forbidAccess = true;
-                    }
-                }
-            } catch (UnknownHostException e) {
-                forbidAccess = true;
-            }
+            boolean forbidAccess = !LocalClientSession.isAllowedAnonymous( session.getConnection() );
             if (forbidAccess) {
                 // Connection forbidden from that IP address
                 response.setChildElement(packet.getChildElement().createCopy());

src/java/org/jivesoftware/openfire/net/SASLAuthentication.java

@@ -472,26 +472,7 @@ public class SASLAuthentication {
     private static Status doAnonymousAuthentication(LocalSession session) {
         if (XMPPServer.getInstance().getIQAuthHandler().isAnonymousAllowed()) {
             // Verify that client can connect from his IP address
-            boolean forbidAccess = false;
-            try {
-                String hostAddress = session.getConnection().getHostAddress();
-                if (!LocalClientSession.getAllowedAnonymIPs().isEmpty() &&
-                        !LocalClientSession.getAllowedAnonymIPs().containsKey(hostAddress)) {
-                    byte[] address = session.getConnection().getAddress();
-                    String range1 = (address[0] & 0xff) + "." + (address[1] & 0xff) + "." +
-                            (address[2] & 0xff) +
-                            ".*";
-                    String range2 = (address[0] & 0xff) + "." + (address[1] & 0xff) + ".*.*";
-                    String range3 = (address[0] & 0xff) + ".*.*.*";
-                    if (!LocalClientSession.getAllowedAnonymIPs().containsKey(range1) &&
-                            !LocalClientSession.getAllowedAnonymIPs().containsKey(range2) &&
-                            !LocalClientSession.getAllowedAnonymIPs().containsKey(range3)) {
-                        forbidAccess = true;
-                    }
-                }
-            } catch (UnknownHostException e) {
-                forbidAccess = true;
-            }
+            boolean forbidAccess = !LocalClientSession.isAllowedAnonymous( session.getConnection() );
             if (forbidAccess) {
                 authenticationFailed(session, Failure.NOT_AUTHORIZED);
                 return Status.failed;

src/java/org/jivesoftware/openfire/session/ConnectionSettings.java

@@ -19,6 +19,7 @@ public final class ConnectionSettings {
 
         public static final String COMPRESSION_SETTINGS = "xmpp.client.compression.policy";
         public static final String LOGIN_ALLOWED = "xmpp.client.login.allowed";
+        public static final String LOGIN_BLOCKED = "xmpp.client.login.blocked";
         public static final String LOGIN_ANONYM_ALLOWED = "xmpp.client.login.allowedAnonym";
 
         public static final String MAX_THREADS = "xmpp.client.processing.threads";

src/web/reg-settings.jsp

@@ -24,11 +24,8 @@
                  org.jivesoftware.util.ParamUtils"
     errorPage="error.jsp"
 %>
-<%@ page import="java.util.HashMap"%>
-<%@ page import="java.util.Iterator"%>
-<%@ page import="java.util.Map"%>
-<%@ page import="java.util.StringTokenizer"%>
 <%@ page import="java.util.regex.Pattern" %>
+<%@ page import="java.util.*" %>
 
 <%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
 <%@ taglib uri="http://java.sun.com/jsp/jstl/fmt" prefix="fmt" %>
@@ -51,6 +48,7 @@
     boolean anonLogin = ParamUtils.getBooleanParameter(request, "anonLogin");
     String allowedIPs = request.getParameter("allowedIPs");
     String allowedAnonymIPs = request.getParameter("allowedAnonymIPs");
+    String blockedIPs = request.getParameter("blockedIPs");
     // Get an IQRegisterHandler:
     IQRegisterHandler regHandler = XMPPServer.getInstance().getIQRegisterHandler();
     IQAuthHandler authHandler = XMPPServer.getInstance().getIQAuthHandler();
@@ -64,29 +62,39 @@
         Pattern pattern = Pattern.compile("(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.)" +
                 "(?:(?:\\*|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){2}" +
                 "(?:\\*|25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)");
-        Map<String, String> newMap = new HashMap<String, String>();
+        Set<String> allowedSet = new HashSet<String>();
         StringTokenizer tokens = new StringTokenizer(allowedIPs, ", ");
         while (tokens.hasMoreTokens()) {
             String address = tokens.nextToken().trim();
             if (pattern.matcher(address).matches()) {
-                newMap.put(address, "");
+                allowedSet.add( address );
             }
         }
         
 
-        Map<String, String> allowedAnonymMap = new HashMap<String, String>();
+        Set<String> allowedAnonymousSet = new HashSet<String>();
         StringTokenizer tokens1 = new StringTokenizer(allowedAnonymIPs, ", ");
         while (tokens1.hasMoreTokens()) {
             String address = tokens1.nextToken().trim();
             if (pattern.matcher(address).matches()) {
-                allowedAnonymMap.put(address, "");
+                allowedAnonymousSet.add( address );
             }
         }
-        LocalClientSession.setAllowedIPs(newMap);
-        LocalClientSession.setAllowedAnonymIPs(allowedAnonymMap);
+
+        Set<String> blockedSet = new HashSet<String>();
+        StringTokenizer tokens2 = new StringTokenizer(blockedIPs, ", ");
+        while (tokens2.hasMoreTokens()) {
+            String address = tokens2.nextToken().trim();
+            if (pattern.matcher(address).matches()) {
+                blockedSet.add( address );
+            }
+        }
+        LocalClientSession.setWhitelistedIPs( allowedSet );
+        LocalClientSession.setWhitelistedAnonymousIPs( allowedAnonymousSet );
+        LocalClientSession.setBlacklistedIPs( blockedSet );
 
         // Log the event
-        webManager.logEvent("edited registration settings", "inband enabled = "+inbandEnabled+"\ncan change password = "+canChangePassword+"\nanon login = "+anonLogin+"\nallowed ips = "+allowedIPs);
+        webManager.logEvent("edited registration settings", "inband enabled = "+inbandEnabled+"\ncan change password = "+canChangePassword+"\nanon login = "+anonLogin+"\nallowed ips = "+allowedIPs+"\nblocked ips = "+blockedIPs);
     }
 
     // Reset the value of page vars:
@@ -95,7 +103,7 @@
     anonLogin = authHandler.isAnonymousAllowed();
     // Encode the allowed IP addresses
     StringBuilder buf = new StringBuilder();
-    Iterator<String> iter = org.jivesoftware.openfire.session.LocalClientSession.getAllowedIPs().keySet().iterator();
+    Iterator<String> iter = org.jivesoftware.openfire.session.LocalClientSession.getWhitelistedIPs().iterator();
     if (iter.hasNext()) {
         buf.append(iter.next());
     }
@@ -105,7 +113,7 @@
     allowedIPs = buf.toString();
 
     StringBuilder buf1 = new StringBuilder();
-    Iterator<String> iter1 = org.jivesoftware.openfire.session.LocalClientSession.getAllowedAnonymIPs().keySet().iterator();
+    Iterator<String> iter1 = org.jivesoftware.openfire.session.LocalClientSession.getWhitelistedAnonymousIPs().iterator();
     if (iter1.hasNext()) {
         buf1.append(iter1.next());
     }
@@ -113,6 +121,17 @@
         buf1.append(", ").append(iter1.next());
     }
     allowedAnonymIPs = buf1.toString();
+
+    StringBuilder buf2 = new StringBuilder();
+    Iterator<String> iter2 = org.jivesoftware.openfire.session.LocalClientSession.getBlacklistedIPs().iterator();
+    if (iter2.hasNext()) {
+        buf2.append(iter2.next());
+    }
+    while (iter2.hasNext()) {
+        buf2.append(", ").append(iter2.next());
+    }
+    blockedIPs = buf2.toString();
+
 %>
 
 <p>
@@ -234,6 +253,20 @@
 	<br>
 
 	<h4><fmt:message key="reg.settings.allowed_ips" /></h4>
+    <p>
+        <fmt:message key="reg.settings.allowed_ips_blocked_info" />
+    </p>
+    <table cellpadding="3" cellspacing="0" border="0" width="100%">
+        <tbody>
+        <tr>
+            <td valign='top'><b><fmt:message key="reg.settings.ips_blocked" /></b></td>
+            <td>
+                <textarea name="blockedIPs" cols="40" rows="3" wrap="virtual"><%= ((blockedIPs != null) ? blockedIPs : "") %></textarea>
+            </td>
+        </tr>
+        </tbody>
+    </table>
+
 	<p>
     <fmt:message key="reg.settings.allowed_ips_info" />
     </p>