Jump to content

Range blocks/Ru

From Meta, a Wikimedia project coordination wiki

Для администраторов, разбирающихся в CIDR

[edit]

Sysops on all wikis now have the ability to block ranges. Before you can block an IP range, you need to put "$wgSysopRangeBans = true;" in your LocalSettings.php file. After you have enabled range blocking, you will be able to enter a subnet specification in CIDR notation into the Special:Blockip address box. For example, 12.64.96.0/24 blocks all addresses between 12.64.96.0 and 12.64.96.255. Note that even registered users, using these IPs, will be blocked, too.

Note that 12.64.96.128/24 will not do what you expect. The /24 designation means that the first 24 bits specify the network. So 12.64.96.128/24 is the same as 12.64.96.0/24. The last 32-N bits are not significant, and are automatically set to zero in the software.

MediaWiki only support CIDR suffixes between 16 and 31, inclusive (as of 23 May 2005). Therefore, for example, 12.64.96.128/8 will be rejected.

Here is a chart of network prefix lengths, showing the number of addresses in each block, and giving an indication as to what part of the IP address changes between the start and end of the range. For example, /16 has a 1 in the 2nd byte column, which means if you block 142.177.0.0/16, the range is 142.177.0.0 to 142.177.255.255, that is it blocks for one value of the first two sections of the ip.

Не пользуйтесь блокировками диапазонов, если не уверены, что понимаете, что делаете!

Длина префикса Сколько адресов заблокируется 1й байт 2й байт 3й байт 4й байт
0 4294967296 256      
1 2147483648 128      
2 1073741824 64      
3 536870912 32      
4 268435456 16      
5 134217728 8      
6 67108864 4      
7 33554432 2      
8 16777216 1 256    
9 8388608   128    
10 4194304   64    
11 2097152   32    
12 1048576   16    
13 524288   8    
14 262144   4    
15 131072   2    
16 65536   1 256  
17 32768     128  
18 16384     64  
19 8192     32  
20 4096     16  
21 2048     8  
22 1024     4  
23 512     2  
24 256     1 256
25 128       128
26 64       64
27 32       32
28 16       16
29 8       8
30 4       4
31 2       2
32 1       1

Блокировка диапазонов для чайников

[edit]

Эта секция предназначена для администраторов, не понявших ни черта в том, что написано выше.

Как это не делается

[edit]

Никогда не блокируйте диапазоны, если не уверены на все 100 в том, что делаете. Цена ошибки велика — вы можете ненароком заблокировать гораздо больше народу, чем собирались.

Проще всего объяснить эту технику — привести пример. Допустим, вы хотите заблокировать следующие IP:

208.147.11.2 --> 208.147.11.16     (т. е. 15 адресов)

Если выдумаете, что для этого надо написать 208.147.11.2/16? Это была бы очень серьёзная ошибка! При этом заблокировалось бы

208.147.0.0 --> 208.147.255.255     (216 = ~65 тысяч адресов!)

Потому, что /16 указывает на количество бит, которые у блокируемых адресов общие. Теперь, когда вы знаете, чего не надо делать, перейдём к обратному.

How you should do it

[edit]

Technical preamble

[edit]

An IP address is usually written in dotted decimal notation to make it easy for humans to read but they are actually 32 bit binary numbers. For example

208.147.11.2 can be written as 11010000100100110000101100000010

(You can see why the dotted decimal notation is preferred by humans! But machines can only understand binary). The dotted decimal notation splits these 32 bits up into four blocks of 8. Then represents the 8 bit binary number as it's decimal value.

The /16 means only take the first 16 bits into account i.e. 1101000010010011 (208.147.foo.bar) the block will block any address that starts 208.147. no matter what the rest of the digits read.

Likewise a /24 will include the first 24 bits (the first three numbers of the dotted decimal). So 208.147.11.0/24 will block

208.147.11.0 --> 208.147.11.255 inclusive

How to actually work out the block

[edit]

A /16 and a /24 are easy to see what will happen (because they are multiples of 8) They will block all addresses that have the first 2 (or 3) sections of the dotted decimal IP address in common. Likewise a /8 would block 2563 addresses (except that you are not allowed to do a /8 as it would cut out far too many people in one go). Sometimes however you may not want to block as many as 256 addresses. If we take our earlier example you may only want to block 208.147.11.2 --> 208.147.11.16 In this case you need to actually write out the binary expansion of the last number in the dotted decimal address. Let’s look at how you do that.

  • Write out the following
128  64  32  16  8  4  2  1

Underneath work out the digits of the decimal number

128   64   32   16   8   4   2   1
 0     0    0    0   0   0   1   0      (.2)
 0     0    0    1   0   0   0   0      (.16)

As you can see the first and last numbers differ only in the last 5 binary digits (the first three digits (128, 64, 32) are identical). So a suitable block would be 208.147.11.0/27. Note that this would still block some innocent numbers. For example the number 00011101 (.29) would be blocked. In fact this block will block a total of 32 numbers, which is a lot better than blocking 256. If you're really worried you could block 208.147.11.0/28 (which would block .0 to .15) and then block 208.147.11.16 separately.

Another example

[edit]

Just to make sure, let's do another one. Suppose you want to block

121.22.98.187 --> 121.22.98.194

Note the first three numbers of the address are the same so /24 would certainly block everything you want, but again it would block a whole lot more as well. So let's write out 187 and 194 as binary numbers

128   64   32   16   8   4   2   1
 1     0    1    1   1   0   1   1  (.187)
 1     1    0    0   0   0   1   0  (.194)

They have an identical first digit but differ after that so a 121.22.98.128/25 should do the trick (the 128 is because we set all of the last five digits=0) but note that this blocks 128 addresses when we only want to block 8.

Here splitting the range block into two or more smaller blocks may be a better strategy. For example if we use a /29 block we will lose the last 3 binary digits. Setting the last three digits of .187 to zero gives .184 and 121.22.98.184/29 will block .184 -> .191 that leaves 192 --> 194 which we could block individually or we could do 121.22.98.192/30 which blocks .192 -->.195. We still have a few innocents addresses caught up in the blocks( .184, .185, .186, .187, .195) but not nearly as many as with a /24 or a /25.

Can't be bothered to work all this stuff out manually? Don't worry, there are tools on the net that do all the hard work for you, such as this netmask calculator.

Sample block chart

[edit]

Remember, however, MediaWiki only support CIDR suffixes between 16 and 31

CIDR Beg Range End Range # of addresses Bits selected in IP address
69.208.0.0/0 0.0.0.0 255.255.255.255 4,294,967,296 ********.********.********.********
69.208.0.0/1 0.0.0.0 127.255.255.255 2,147,483,648, 0*******.********.********.********
69.208.0.0/4 65.0.0.0 79.255.255.255 268,435,456 0100****.********.********.********
69.208.0.0/8 69.0.0.0 69.255.255.255 67,108,864 01000101.********.********.********
69.208.0.0/11 69.208.0.0 69.238.255.255 2,197,152 01000101.110*****.********.********
69.208.0.0/12 69.208.0.0 69.223.255.255 1,048,576 01000101.1101****.********.********
69.208.0.0/13 69.208.0.0 69.215.255.255 524,288 01000101.11010***.********.********
69.208.0.0/14 69.208.0.0 69.211.255.255 262,144 01000101.110100**.********.********
69.208.0.0/15 69.208.0.0 69.209.255.255 131,072 01000101.1101000*.********.********
69.208.0.0/16 69.208.0.0 69.208.255.255 65,536 01000101.11010000.********.********
69.208.0.0/17 69.208.0.0 69.208.127.255 32,768 01000101.11010000.0*******.********
69.208.0.0/18 69.208.0.0 69.208.63.255 16,384 01000101.11010000.00******.********
69.208.0.0/19 69.208.0.0 69.208.31.255 8,192 01000101.11010000.000*****.********
69.208.0.0/20 69.208.0.0 69.208.15.255 4,096 01000101.11010000.0000****.********
69.208.0.0/21 69.208.0.0 69.208.7.255 2,048 01000101.11010000.00000***.********
69.208.0.0/22 69.208.0.0 69.208.3.255 1,024 01000101.11010000.000000**.********
69.208.0.0/23 69.208.0.0 69.208.1.255 512 01000101.11010000.0000000*.********
69.208.0.0/24 69.208.0.0 69.208.0.255 256 01000101.11010000.00000000.********
69.208.0.0/25 69.208.0.0 69.208.0.127 128 01000101.11010000.00000000.0*******
69.208.0.0/26 69.208.0.0 69.208.0.63 64 01000101.11010000.00000000.00******
69.208.0.0/27 69.208.0.0 69.208.0.31 32 01000101.11010000.00000000.000*****
69.208.0.0/28 69.208.0.0 69.208.0.15 16 01000101.11010000.00000000.0000****
69.208.0.0/29 69.208.0.0 69.208.0.7 8 01000101.11010000.00000000.00000***
69.208.0.0/30 69.208.0.0 69.208.0.3 4 01000101.11010000.00000000.000000**
69.208.0.0/31 69.208.0.0 69.208.0.1 2 01000101.11010000.00000000.0000000*
69.208.0.0/32 69.208.0.0 69.208.0.0 1 01000101.11010000.00000000.00000000

For example,

  • 69.208.0.0/16 would block 65,536 addresses ranging from 69.208.0.0 thru 69.208.255.255
  • 69.208.0.0/24 would block 256 addresses ranging from 69.208.0.0 thru 69.208.0.255

Final words of advice

[edit]

If you've read the above and think you understand what to do, then do so cautiously. Post a note at the village pump/staff lounge (or whatever the general meeting place is on your wiki) explaining what you have done so that other users can check you haven't done something unpopular (Like blocking all AOL users).