Hilfe:Bereichssperren
Hinweis: Wenn Du diese Seite bearbeitest, stimmst Du zu, dass Dein Beitrag unter der [CC0] veröffentlicht wird. Mehr Informationen findest du auf der Public Domain Hilfeseite. |
- Siehe Hilfe:Bereichsblöcke/IPv6 für Informationen zu IPv6-Bereichssperren.
Bereichssperren sind technische Einschränkungen, die durch Special:Block an einer Gruppe von IP-Adressen vorgenommen werden, um diese an Bearbeitungen, Accounterstellungen, E-Mail-Versand oder anderen Aktionen zu hindern. Die Option "Sperre anwenden auf angemeldete Benutzer unter deren IP-Adresse" verhindert, dass die Sperre durch eingeloggte Benutzer umgangen werden kann.
Um einen IP-Bereich von Special:Block aus zu sperren, gib die erste IP-Adresse im Bereich ein, gefolgt von einem Schrägstrich und einem Classless inter-domain routing-Suffix (CIDR). Du solltest es vermeiden, Bereichssperren durchzuführen, es sei denn, du verstehst, was du tust, ansonsten könnten am Ende Zehntausende oder sogar Millionen von Menschen blockiert sein, die nicht das Problem sind!
Dieser Artikel behandelt hauptsächlich IPv4; IPv6-Blöcke funktionieren ähnlich, haben aber unterschiedliche Auswirkungen – siehe /IPv6.
Nicht-technische Erklärung
IP-Adressen werden in verschiedene Blöcke von Nummern aufgeteilt.
Ein Beispiel dafür wäre 148.20.57.0
bis 148.20.57.255
.
Sobald sie 255
erreicht, ist die nächste Zahl 148.20.58.0
.
IP-Adressen können in kleinere oder größere Blöcke aufgeteilt werden. Der kleinste praktischer Block ist ein 4er-Block. Dies könnte eines der Folgenden sein:
148.20.57.0 - 148.20.57.3
,148.20.57.4 - 148.20.57.7
,148.20.57.8 - 148.20.57.11
, ...
Von jedem aus vier Nummern bestehendem Block können nur zwei an einen Computer vergeben werden. Die ersten und letzten Zahlen eines Blocks sind für die Netzwerkkommunikation reserviert. These are level 30 blocks and can be expressed like this:
148.20.57.0/30
,148.20.57.4/30
,148.20.57.8/30
, ...
Der nächstgrößerer Block ist 8. Die können wie folgend sein:
148.20.57.0 - 148.20.57.7
,148.20.57.8 - 148.20.57.15
,148.20.57.16 - 148.20.57.23
, ...
In this block of 8 numbers only 6 can be assigned to a computer as, once again, the first and last numbers in a block are reserved for specific uses in network communication. These can also be expressed as follows:
148.20.57.0/29
,148.20.57.8/29
,148.20.57.16/29
, ...
From this point on, the number of IP addresses in a block continues to double: 16, 32, 64, 128, 256, etc.
- Ein Block von 16 würde bei
148.20.57.0/28
beginnen. - Ein Block von 32 würde bei
148.20.57.0/27
beginnen. - Ein Block von 64 würde bei
148.20.57.0/26
beginnen. - Ein Block von 128 würde bei
148.20.57.0/25
beginnen. - Ein Block von 256 würde bei
148.20.57.0/24
beginnen.
So if you have an IP address and you want to block the range assigned how do you know which one to use?
Let's say you have a problem with 148.20.57.34
.
You can look up who has this IP address at http://arin.net/whois/?queryinput=148.20.57.34.
Say this tells us that this IP address is assigned, along with a LOT of others in a /17
range, to the Department of Defense.
We certainly don't want to block a large block of the DoD!
The rule of thumb is block as little as possible.
Only block a range if there is a cluster of IP addresses giving a problem.
There's a calculator that is very useful for this:
Go to this site and enter 148.20.57.34
into the first set of blanks.
Now select Network Prefix Length and enter 27
(this will give a block of 32 addresses) and click Calculate Network Information.
This will show us a block of 32 IP addresses that include 148.20.57.34
.
(The first—network and the last—broadcast addresses will be displayed along with the usable addresses in the range.)
You can use this tool to test ranges to be sure they are what you want before entering the information to initiate the block.
Technische Erklärung
CIDR notation is written as the IP address, a slash, and the CIDR suffix (for example, the IPv4 "10.2.3.41/24
" or IPv6 "a3:bc00::/24
").
The CIDR suffix is the number of starting digits every IP address in the range have in common when written in binary.
For example: "10.10.1.32
" is binary "00001010.00001010.00000001.00100000
", so 10.10.1.32/27
will match the first 27 digits ("00001010.00001010.00000001.00100000
").
The IP addresses 10.10.1.32
–10.10.1.63
, when converted to binary, all have the same 27 first digits and will be blocked if 10.10.1.32/27
is blocked.
As the CIDR suffix increases, the block affects fewer IP addresses (see table of sample ranges). CIDR suffixes are not the same for IPv4 addresses as they are for IPv6 addresses; the same CIDR suffix in IPv4 blocks =79,228,162,514,264,337,593,543,950,336 times as many addresses in IPv6.
Calculating the CIDR suffix
You can use the table of sample ranges below to guess the range, use a computer script, or manually calculate the range.
Umwandlung in Binär
The first step in manually calculating a range is to convert the first and last IP address to binary representation. (This assumes you're not using a computer script, which can probably calculate the range for you anyway.) An IP address is composed of four groups of eight ones and zeros. Each group represents a number from 0 to 255. To convert a number to binary, you can use a reference table or know the value of each binary digit:
Binärzahl: | 1 1 1 1 1 1 1 1
|
Wert: | 128 64 32 16 8 4 2 1
|
Proceeding from left to right, fill in 1
if the number is at least that value, and subtract that value (if it's not, fill in 0
and don't subtract).
Zum Beispiel, um 240 zu berechnen.
- 240 ist mindestens 128, also setze
1
und subtrahiere 128. - 112 (240-128) ist mindestens 64, also setze
1
und subtrahiere 64. - 48 (112-64) ist mindestens 32, also setze
1
und subtrahiere 32. - 16 (48-32) ist mindestens 16, also setze
1
und subtrahiere 16. - Da der übrig gebliebene Wert null ist, sind die restlichen Stellen
0
.
Thus, 240 is 1111 0000
because it can be represented as 128+64+32+16+0+0+0+0.
Calculate range
- Place both IP addresses one atop the other, and count how many starting digits are exactly alike. This is the CIDR suffix.
- Double-check! Being off by one digit could extend your block by thousands of addresses.
The example below calculates the CIDR range between 69.208.0.0
and 69.208.0.255
.
Note that this is a simple example; some groups of IP addresses do not so neatly fit CIDR suffixes, and need multiple different-sized blocks to block the exact range.
- IP-Adressen:
69.208.0.0
69.208.0.255
- Zu Binär umwandeln:
0100 0101.1101 0000.0000 0000.0000 0000
0100 0101.1101 0000.0000 0000.1111 1111
- Zähle identische erste Zahlen:
0100 0101.1101 0000.0000 0000.0000 0000
0100 0101.1101 0000.0000 0000.1111 1111
|____________________________|
24 Ziffern
- CIDR range:
69.208.0.0/24
Tabelle der Beispielreichweiten
The table below shows the IPv4 blocks each CIDR suffix affects. Note that MediaWiki only supports blocking CIDR suffixes 16 - 32 in IPv4 and 19 (formerly 64) - 128 in IPv6 by default (subject to $wgBlockCIDRLimit ). See /IPv6 for an IPv6 range table.
CIDR | Startbereich | Endbereich | Anzahl der Adressen | Bits ausgewählt in der IP-Adresse |
---|---|---|---|---|
69.208.0.0/0 | 0.0.0.0 | 255.255.255.255 | 4.294.967.296 | ********.********.********.******** |
69.208.0.0/1 | 0.0.0.0 | 127.255.255.255 | 2.147.483.648 | 0*******.********.********.******** |
69.208.0.0/4 | 64.0.0.0 | 79.255.255.255 | 268.435.456 | 0100****.********.********.******** |
69.208.0.0/8 | 69.0.0.0 | 69.255.255.255 | 16.777.216 | 01000101.********.********.******** |
69.208.0.0/11 | 69.192.0.0 | 69.223.255.255 | 2.097.152 | 01000101.110*****.********.******** |
69.208.0.0/12 | 69.208.0.0 | 69.223.255.255 | 1.048.576 | 01000101.1101****.********.******** |
69.208.0.0/13 | 69.208.0.0 | 69.215.255.255 | 524.288 | 01000101.11010***.********.******** |
69.208.0.0/14 | 69.208.0.0 | 69.211.255.255 | 262.144 | 01000101.110100**.********.******** |
69.208.0.0/15 | 69.208.0.0 | 69.209.255.255 | 131.072 | 01000101.1101000*.********.******** |
69.208.0.0/16 | 69.208.0.0 | 69.208.255.255 | 65.536 | 01000101.11010000.********.******** |
69.208.0.0/17 | 69.208.0.0 | 69.208.127.255 | 32.768 | 01000101.11010000.0*******.******** |
69.208.0.0/18 | 69.208.0.0 | 69.208.63.255 | 16.384 | 01000101.11010000.00******.******** |
69.208.0.0/19 | 69.208.0.0 | 69.208.31.255 | 8.192 | 01000101.11010000.000*****.******** |
69.208.0.0/20 | 69.208.0.0 | 69.208.15.255 | 4.096 | 01000101.11010000.0000****.******** |
69.208.0.0/21 | 69.208.0.0 | 69.208.7.255 | 2.048 | 01000101.11010000.00000***.******** |
69.208.0.0/22 | 69.208.0.0 | 69.208.3.255 | 1.024 | 01000101.11010000.000000**.******** |
69.208.0.0/23 | 69.208.0.0 | 69.208.1.255 | 512 | 01000101.11010000.0000000*.******** |
69.208.0.0/24 | 69.208.0.0 | 69.208.0.255 | 256 | 01000101.11010000.00000000.******** |
69.208.0.0/25 | 69.208.0.0 | 69.208.0.127 | 128 | 01000101.11010000.00000000.0******* |
69.208.0.0/26 | 69.208.0.0 | 69.208.0.63 | 64 | 01000101.11010000.00000000.00****** |
69.208.0.0/27 | 69.208.0.0 | 69.208.0.31 | 32 | 01000101.11010000.00000000.000***** |
69.208.0.0/28 | 69.208.0.0 | 69.208.0.15 | 16 | 01000101.11010000.00000000.0000**** |
69.208.0.0/29 | 69.208.0.0 | 69.208.0.7 | 8 | 01000101.11010000.00000000.00000*** |
69.208.0.0/30 | 69.208.0.0 | 69.208.0.3 | 4 | 01000101.11010000.00000000.000000** |
69.208.0.0/31 | 69.208.0.0 | 69.208.0.1 | 2 | 01000101.11010000.00000000.0000000* |
69.208.0.0/32 | 69.208.0.0 | 69.208.0.0 | 1 | 01000101.11010000.00000000.00000000 |
Standardbegrenzung
The default MediaWiki installation limits range blocks to no larger than /16 IPv4 rangeblocks (65,536 addresses). To block larger ranges $wgBlockCIDRLimit needs to be set accordingly in LocalSettings.php .
Bekannte Probleme
One important already-known problem caused by any range-block, is that as side-effect they also block some trusted registered groups, like wiki administrators, users who do not need to be patrolled by others, and trusted bots. Details: phabricator:T309328
Einzelnachweise
Externe Links
- Netmask calculator which helps in making the correct decision for range blocks.
- Subnet Calculator can help calculate prefix length and subnet mask for IPv4 and IPv6.
- toolforge:ftools/general/ip-range-calc.html gives you the range you should use when blocking.
- IPv4 and CIDR Calculator gives you a breakdown of Hosts and IP Range for any Given Mask/CIDR and reverse.