Range blocks/Ru
Для администраторов, разбирающихся в CIDR
editSysops on all wikis now have the ability to block ranges. Before you can block an IP range, you need to put "$wgSysopRangeBans = true;" in your LocalSettings.php file. After you have enabled range blocking, you will be able to enter a subnet specification in CIDR notation into the Special:Blockip address box. For example, 12.64.96.0/24 blocks all addresses between 12.64.96.0 and 12.64.96.255. Note that even registered users, using these IPs, will be blocked, too.
Note that 12.64.96.128/24 will not do what you expect. The /24 designation means that the first 24 bits specify the network. So 12.64.96.128/24 is the same as 12.64.96.0/24. The last 32-N bits are not significant, and are automatically set to zero in the software.
MediaWiki only support CIDR suffixes between 16 and 31, inclusive (as of 23 May 2005). Therefore, for example, 12.64.96.128/8 will be rejected.
Here is a chart of network prefix lengths, showing the number of addresses in each block, and giving an indication as to what part of the IP address changes between the start and end of the range. For example, /16 has a 1 in the 2nd byte column, which means if you block 142.177.0.0/16, the range is 142.177.0.0 to 142.177.255.255, that is it blocks for one value of the first two sections of the ip.
Не пользуйтесь блокировками диапазонов, если не уверены, что понимаете, что делаете!
Длина префикса | Сколько адресов заблокируется | 1й байт | 2й байт | 3й байт | 4й байт |
0 | 4294967296 | 256 | |||
1 | 2147483648 | 128 | |||
2 | 1073741824 | 64 | |||
3 | 536870912 | 32 | |||
4 | 268435456 | 16 | |||
5 | 134217728 | 8 | |||
6 | 67108864 | 4 | |||
7 | 33554432 | 2 | |||
8 | 16777216 | 1 | 256 | ||
9 | 8388608 | 128 | |||
10 | 4194304 | 64 | |||
11 | 2097152 | 32 | |||
12 | 1048576 | 16 | |||
13 | 524288 | 8 | |||
14 | 262144 | 4 | |||
15 | 131072 | 2 | |||
16 | 65536 | 1 | 256 | ||
17 | 32768 | 128 | |||
18 | 16384 | 64 | |||
19 | 8192 | 32 | |||
20 | 4096 | 16 | |||
21 | 2048 | 8 | |||
22 | 1024 | 4 | |||
23 | 512 | 2 | |||
24 | 256 | 1 | 256 | ||
25 | 128 | 128 | |||
26 | 64 | 64 | |||
27 | 32 | 32 | |||
28 | 16 | 16 | |||
29 | 8 | 8 | |||
30 | 4 | 4 | |||
31 | 2 | 2 | |||
32 | 1 | 1 |
Блокировка диапазонов для чайников
editЭта секция предназначена для администраторов, не понявших ни черта в том, что написано выше.
Как это не делается
editНикогда не блокируйте диапазоны, если не уверены на все 100 в том, что делаете. Цена ошибки велика — вы можете ненароком заблокировать гораздо больше народу, чем собирались.
Проще всего объяснить эту технику — привести пример. Допустим, вы хотите заблокировать следующие IP:
- 208.147.11.2 --> 208.147.11.16 (т. е. 15 адресов)
Если выдумаете, что для этого надо написать 208.147.11.2/16? Это была бы очень серьёзная ошибка! При этом заблокировалось бы
- 208.147.0.0 --> 208.147.255.255 (216 = ~65 тысяч адресов!)
Потому, что /16 указывает на количество бит, которые у блокируемых адресов общие. Теперь, когда вы знаете, чего не надо делать, перейдём к обратному.
How you should do it
editTechnical preamble
editAn IP address is usually written in dotted decimal notation to make it easy for humans to read but they are actually 32 bit binary numbers. For example
- 208.147.11.2 can be written as 11010000100100110000101100000010
(You can see why the dotted decimal notation is preferred by humans! But machines can only understand binary). The dotted decimal notation splits these 32 bits up into four blocks of 8. Then represents the 8 bit binary number as it's decimal value.
The /16 means only take the first 16 bits into account i.e. 1101000010010011 (208.147.foo.bar) the block will block any address that starts 208.147. no matter what the rest of the digits read.
Likewise a /24 will include the first 24 bits (the first three numbers of the dotted decimal). So 208.147.11.0/24 will block
- 208.147.11.0 --> 208.147.11.255 inclusive
How to actually work out the block
editA /16 and a /24 are easy to see what will happen (because they are multiples of 8) They will block all addresses that have the first 2 (or 3) sections of the dotted decimal IP address in common. Likewise a /8 would block 2563 addresses (except that you are not allowed to do a /8 as it would cut out far too many people in one go). Sometimes however you may not want to block as many as 256 addresses. If we take our earlier example you may only want to block 208.147.11.2 --> 208.147.11.16 In this case you need to actually write out the binary expansion of the last number in the dotted decimal address. Let’s look at how you do that.
- Write out the following
128 64 32 16 8 4 2 1
Underneath work out the digits of the decimal number
128 64 32 16 8 4 2 1 0 0 0 0 0 0 1 0 (.2) 0 0 0 1 0 0 0 0 (.16)
As you can see the first and last numbers differ only in the last 5 binary digits (the first three digits (128, 64, 32) are identical). So a suitable block would be 208.147.11.0/27. Note that this would still block some innocent numbers. For example the number 00011101 (.29) would be blocked. In fact this block will block a total of 32 numbers, which is a lot better than blocking 256. If you're really worried you could block 208.147.11.0/28 (which would block .0 to .15) and then block 208.147.11.16 separately.
Another example
editJust to make sure, let's do another one. Suppose you want to block
- 121.22.98.187 --> 121.22.98.194
Note the first three numbers of the address are the same so /24 would certainly block everything you want, but again it would block a whole lot more as well. So let's write out 187 and 194 as binary numbers
128 64 32 16 8 4 2 1 1 0 1 1 1 0 1 1 (.187) 1 1 0 0 0 0 1 0 (.194)
They have an identical first digit but differ after that so a 121.22.98.128/25 should do the trick (the 128 is because we set all of the last five digits=0) but note that this blocks 128 addresses when we only want to block 8.
Here splitting the range block into two or more smaller blocks may be a better strategy. For example if we use a /29 block we will lose the last 3 binary digits. Setting the last three digits of .187 to zero gives .184 and 121.22.98.184/29 will block .184 -> .191 that leaves 192 --> 194 which we could block individually or we could do 121.22.98.192/30 which blocks .192 -->.195. We still have a few innocents addresses caught up in the blocks( .184, .185, .186, .187, .195) but not nearly as many as with a /24 or a /25.
Can't be bothered to work all this stuff out manually? Don't worry, there are tools on the net that do all the hard work for you, such as this netmask calculator.
Sample block chart
editRemember, however, MediaWiki only support CIDR suffixes between 16 and 31
CIDR | Beg Range | End Range | # of addresses | Bits selected in IP address |
69.208.0.0/0 | 0.0.0.0 | 255.255.255.255 | 4,294,967,296 | ********.********.********.******** |
69.208.0.0/1 | 0.0.0.0 | 127.255.255.255 | 2,147,483,648, | 0*******.********.********.******** |
69.208.0.0/4 | 65.0.0.0 | 79.255.255.255 | 268,435,456 | 0100****.********.********.******** |
69.208.0.0/8 | 69.0.0.0 | 69.255.255.255 | 67,108,864 | 01000101.********.********.******** |
69.208.0.0/11 | 69.208.0.0 | 69.238.255.255 | 2,197,152 | 01000101.110*****.********.******** |
69.208.0.0/12 | 69.208.0.0 | 69.223.255.255 | 1,048,576 | 01000101.1101****.********.******** |
69.208.0.0/13 | 69.208.0.0 | 69.215.255.255 | 524,288 | 01000101.11010***.********.******** |
69.208.0.0/14 | 69.208.0.0 | 69.211.255.255 | 262,144 | 01000101.110100**.********.******** |
69.208.0.0/15 | 69.208.0.0 | 69.209.255.255 | 131,072 | 01000101.1101000*.********.******** |
69.208.0.0/16 | 69.208.0.0 | 69.208.255.255 | 65,536 | 01000101.11010000.********.******** |
69.208.0.0/17 | 69.208.0.0 | 69.208.127.255 | 32,768 | 01000101.11010000.0*******.******** |
69.208.0.0/18 | 69.208.0.0 | 69.208.63.255 | 16,384 | 01000101.11010000.00******.******** |
69.208.0.0/19 | 69.208.0.0 | 69.208.31.255 | 8,192 | 01000101.11010000.000*****.******** |
69.208.0.0/20 | 69.208.0.0 | 69.208.15.255 | 4,096 | 01000101.11010000.0000****.******** |
69.208.0.0/21 | 69.208.0.0 | 69.208.7.255 | 2,048 | 01000101.11010000.00000***.******** |
69.208.0.0/22 | 69.208.0.0 | 69.208.3.255 | 1,024 | 01000101.11010000.000000**.******** |
69.208.0.0/23 | 69.208.0.0 | 69.208.1.255 | 512 | 01000101.11010000.0000000*.******** |
69.208.0.0/24 | 69.208.0.0 | 69.208.0.255 | 256 | 01000101.11010000.00000000.******** |
69.208.0.0/25 | 69.208.0.0 | 69.208.0.127 | 128 | 01000101.11010000.00000000.0******* |
69.208.0.0/26 | 69.208.0.0 | 69.208.0.63 | 64 | 01000101.11010000.00000000.00****** |
69.208.0.0/27 | 69.208.0.0 | 69.208.0.31 | 32 | 01000101.11010000.00000000.000***** |
69.208.0.0/28 | 69.208.0.0 | 69.208.0.15 | 16 | 01000101.11010000.00000000.0000**** |
69.208.0.0/29 | 69.208.0.0 | 69.208.0.7 | 8 | 01000101.11010000.00000000.00000*** |
69.208.0.0/30 | 69.208.0.0 | 69.208.0.3 | 4 | 01000101.11010000.00000000.000000** |
69.208.0.0/31 | 69.208.0.0 | 69.208.0.1 | 2 | 01000101.11010000.00000000.0000000* |
69.208.0.0/32 | 69.208.0.0 | 69.208.0.0 | 1 | 01000101.11010000.00000000.00000000 |
For example,
- 69.208.0.0/16 would block 65,536 addresses ranging from 69.208.0.0 thru 69.208.255.255
- 69.208.0.0/24 would block 256 addresses ranging from 69.208.0.0 thru 69.208.0.255
Final words of advice
editIf you've read the above and think you understand what to do, then do so cautiously. Post a note at the village pump/staff lounge (or whatever the general meeting place is on your wiki) explaining what you have done so that other users can check you haven't done something unpopular (Like blocking all AOL users).