Hilfe:Bereichssperren

This page is a translated version of the page Help:Range blocks and the translation is 47% complete.
PD Hinweis: Wenn Du diese Seite bearbeitest, stimmst Du zu, dass Dein Beitrag unter der [CC0] veröffentlicht wird. Mehr Informationen findest du auf der Public Domain Hilfeseite. PD
Siehe Hilfe:Bereichsblöcke/IPv6 für Informationen zu IPv6-Bereichssperren.

Bereichssperren sind technische Einschränkungen, die durch Special:Block an einer Gruppe von IP-Adressen vorgenommen werden, um diese an Bearbeitungen, Accounterstellungen, E-Mail-Versand oder anderen Aktionen zu hindern. Die Option "Sperre anwenden auf angemeldete Benutzer unter deren IP-Adresse" verhindert, dass die Sperre durch eingeloggte Benutzer umgangen werden kann.

Um einen IP-Bereich von Special:Block aus zu sperren, gib die erste IP-Adresse im Bereich ein, gefolgt von einem Schrägstrich und einem Classless inter-domain routing-Suffix (CIDR). Du solltest es vermeiden, Bereichssperren durchzuführen, es sei denn, du verstehst, was du tust, ansonsten könnten am Ende Zehntausende oder sogar Millionen von Menschen blockiert sein, die nicht das Problem sind!

Dieser Artikel behandelt hauptsächlich IPv4; IPv6-Blöcke funktionieren ähnlich, haben aber unterschiedliche Auswirkungen – siehe /IPv6.

Nicht-technische Erklärung

IP-Adressen werden in verschiedene Blöcke von Nummern aufgeteilt. Ein Beispiel dafür wäre 148.20.57.0 bis 148.20.57.255. Sobald sie 255 erreicht, ist die nächste Zahl 148.20.58.0.

IP-Adressen können in kleinere oder größere Blöcke aufgeteilt werden. Der kleinste praktischer Block ist ein 4er-Block. Dies könnte eines der Folgenden sein:

148.20.57.0 - 148.20.57.3,
148.20.57.4 - 148.20.57.7,
148.20.57.8 - 148.20.57.11, ...

Von jedem aus vier Nummern bestehendem Block können nur zwei an einen Computer vergeben werden. Die ersten und letzten Zahlen eines Blocks sind für die Netzwerkkommunikation reserviert. These are level 30 blocks and can be expressed like this:

148.20.57.0/30,
148.20.57.4/30,
148.20.57.8/30, ...

Der nächstgrößerer Block ist 8. Die können wie folgend sein:

148.20.57.0 - 148.20.57.7,
148.20.57.8 - 148.20.57.15,
148.20.57.16 - 148.20.57.23, ...

In this block of 8 numbers only 6 can be assigned to a computer as, once again, the first and last numbers in a block are reserved for specific uses in network communication. These can also be expressed as follows:

148.20.57.0/29,
148.20.57.8/29,
148.20.57.16/29, ...

From this point on, the number of IP addresses in a block continues to double: 16, 32, 64, 128, 256, etc.

Ein Block von 16 würde bei 148.20.57.0/28 beginnen.
Ein Block von 32 würde bei 148.20.57.0/27 beginnen.
Ein Block von 64 würde bei 148.20.57.0/26 beginnen.
Ein Block von 128 würde bei 148.20.57.0/25 beginnen.
Ein Block von 256 würde bei 148.20.57.0/24 beginnen.

So if you have an IP address and you want to block the range assigned how do you know which one to use? Let's say you have a problem with 148.20.57.34. You can look up who has this IP address at http://arin.net/whois/?queryinput=148.20.57.34. Say this tells us that this IP address is assigned, along with a LOT of others in a /17 range, to the Department of Defense. We certainly don't want to block a large block of the DoD! The rule of thumb is block as little as possible. Only block a range if there is a cluster of IP addresses giving a problem.

There's a calculator that is very useful for this:

toolforge:ftools/general/ip-range-calc.html

Go to this site and enter 148.20.57.34 into the first set of blanks. Now select Network Prefix Length and enter 27 (this will give a block of 32 addresses) and click Calculate Network Information. This will show us a block of 32 IP addresses that include 148.20.57.34. (The first—network and the last—broadcast addresses will be displayed along with the usable addresses in the range.) You can use this tool to test ranges to be sure they are what you want before entering the information to initiate the block.

Technische Erklärung

CIDR notation is written as the IP address, a slash, and the CIDR suffix (for example, the IPv4 "10.2.3.41/24" or IPv6 "a3:bc00::/24"). The CIDR suffix is the number of starting digits every IP address in the range have in common when written in binary.

For example: "10.10.1.32" is binary "00001010.00001010.00000001.00100000", so 10.10.1.32/27 will match the first 27 digits ("00001010.00001010.00000001.00100000"). The IP addresses 10.10.1.3210.10.1.63, when converted to binary, all have the same 27 first digits and will be blocked if 10.10.1.32/27 is blocked.

As the CIDR suffix increases, the block affects fewer IP addresses (see table of sample ranges). CIDR suffixes are not the same for IPv4 addresses as they are for IPv6 addresses; the same CIDR suffix in IPv4 blocks 296=79,228,162,514,264,337,593,543,950,336 times as many addresses in IPv6.

Calculating the CIDR suffix

You can use the table of sample ranges below to guess the range, use a computer script, or manually calculate the range.

Umwandlung in Binär

The first step in manually calculating a range is to convert the first and last IP address to binary representation. (This assumes you're not using a computer script, which can probably calculate the range for you anyway.) An IP address is composed of four groups of eight ones and zeros. Each group represents a number from 0 to 255. To convert a number to binary, you can use a reference table or know the value of each binary digit:

Binärzahl:   1   1   1   1   1   1   1   1
Wert: 128  64  32  16   8   4   2   1

Proceeding from left to right, fill in 1 if the number is at least that value, and subtract that value (if it's not, fill in 0 and don't subtract). Zum Beispiel, um 240 zu berechnen.

  1. 240 ist mindestens 128, also setze 1 und subtrahiere 128.
  2. 112 (240-128) ist mindestens 64, also setze 1 und subtrahiere 64.
  3. 48 (112-64) ist mindestens 32, also setze 1 und subtrahiere 32.
  4. 16 (48-32) ist mindestens 16, also setze 1 und subtrahiere 16.
  5. Da der übrig gebliebene Wert null ist, sind die restlichen Stellen 0.

Thus, 240 is 1111 0000 because it can be represented as 128+64+32+16+0+0+0+0.

Calculate range

  1. Place both IP addresses one atop the other, and count how many starting digits are exactly alike. This is the CIDR suffix.
  2. Double-check! Being off by one digit could extend your block by thousands of addresses.

The example below calculates the CIDR range between 69.208.0.0 and 69.208.0.255. Note that this is a simple example; some groups of IP addresses do not so neatly fit CIDR suffixes, and need multiple different-sized blocks to block the exact range.

IP-Adressen:
  69.208.0.0
  69.208.0.255
Zu Binär umwandeln:
  0100 0101.1101 0000.0000 0000.0000 0000
  0100 0101.1101 0000.0000 0000.1111 1111
Zähle identische erste Zahlen:
  0100 0101.1101 0000.0000 0000.0000 0000
  0100 0101.1101 0000.0000 0000.1111 1111
  |____________________________|
            24 Ziffern
CIDR range:
  69.208.0.0/24

Tabelle der Beispielreichweiten

The table below shows the IPv4 blocks each CIDR suffix affects. Note that MediaWiki only supports blocking CIDR suffixes 16 - 32 in IPv4 and 19 (formerly 64) - 128 in IPv6 by default (subject to $wgBlockCIDRLimit ). See /IPv6 for an IPv6 range table.

Example IP4 ranges
CIDR Startbereich Endbereich Anzahl der Adressen Bits ausgewählt in der IP-Adresse
69.208.0.0/0 0.0.0.0 255.255.255.255 4.294.967.296 ********.********.********.********
69.208.0.0/1 0.0.0.0 127.255.255.255 2.147.483.648 0*******.********.********.********
69.208.0.0/4 64.0.0.0 79.255.255.255 268.435.456 0100****.********.********.********
69.208.0.0/8 69.0.0.0 69.255.255.255 16.777.216 01000101.********.********.********
69.208.0.0/11 69.192.0.0 69.223.255.255 2.097.152 01000101.110*****.********.********
69.208.0.0/12 69.208.0.0 69.223.255.255 1.048.576 01000101.1101****.********.********
69.208.0.0/13 69.208.0.0 69.215.255.255 524.288 01000101.11010***.********.********
69.208.0.0/14 69.208.0.0 69.211.255.255 262.144 01000101.110100**.********.********
69.208.0.0/15 69.208.0.0 69.209.255.255 131.072 01000101.1101000*.********.********
69.208.0.0/16 69.208.0.0 69.208.255.255 65.536 01000101.11010000.********.********
69.208.0.0/17 69.208.0.0 69.208.127.255 32.768 01000101.11010000.0*******.********
69.208.0.0/18 69.208.0.0 69.208.63.255 16.384 01000101.11010000.00******.********
69.208.0.0/19 69.208.0.0 69.208.31.255 8.192 01000101.11010000.000*****.********
69.208.0.0/20 69.208.0.0 69.208.15.255 4.096 01000101.11010000.0000****.********
69.208.0.0/21 69.208.0.0 69.208.7.255 2.048 01000101.11010000.00000***.********
69.208.0.0/22 69.208.0.0 69.208.3.255 1.024 01000101.11010000.000000**.********
69.208.0.0/23 69.208.0.0 69.208.1.255 512 01000101.11010000.0000000*.********
69.208.0.0/24 69.208.0.0 69.208.0.255 256 01000101.11010000.00000000.********
69.208.0.0/25 69.208.0.0 69.208.0.127 128 01000101.11010000.00000000.0*******
69.208.0.0/26 69.208.0.0 69.208.0.63 64 01000101.11010000.00000000.00******
69.208.0.0/27 69.208.0.0 69.208.0.31 32 01000101.11010000.00000000.000*****
69.208.0.0/28 69.208.0.0 69.208.0.15 16 01000101.11010000.00000000.0000****
69.208.0.0/29 69.208.0.0 69.208.0.7 8 01000101.11010000.00000000.00000***
69.208.0.0/30 69.208.0.0 69.208.0.3 4 01000101.11010000.00000000.000000**
69.208.0.0/31 69.208.0.0 69.208.0.1 2 01000101.11010000.00000000.0000000*
69.208.0.0/32 69.208.0.0 69.208.0.0 1 01000101.11010000.00000000.00000000

Standardbegrenzung

The default MediaWiki installation limits range blocks to no larger than /16 IPv4 rangeblocks (65,536 addresses). To block larger ranges $wgBlockCIDRLimit needs to be set accordingly in LocalSettings.php .

Bekannte Probleme

One important already-known problem caused by any range-block, is that as side-effect they also block some trusted registered groups, like wiki administrators, users who do not need to be patrolled by others, and trusted bots. Details: phabricator:T309328

Einzelnachweise

  • Subnet Calculator can help calculate prefix length and subnet mask for IPv4 and IPv6.