User:WJBscribe/Range blocks

Theresa knott's guide to range blocks, retrieved from.

How not to do it
It is important that you do not try to block ranges of addresses unless you are really sure of what you are doing. You could end up blocking far more people than you intended!

The best way to explain how to do a range block is by example. Let's say for example you want to block IPs:


 * 208.147.11.2 --> 208.147.11.16     (i.e. 15 addresses)

You might think 208.147.11.2/16 would do the trick? You'd be very wrong! This would actually block:


 * 208.147.0.0 --> 208.147.255.255    (that's 216 = ~65 thousand addresses!)

This is because the /16 specifies the number of bits to be taken into account. Now you know what not to do, let's look at what you should do.

Technical preamble
An IP address is usually written in  dotted decimal notation to make it easy for humans to read but they are actually 32 bit binary numbers. For example


 * 208.147.11.2 can be written as 11010000100100110000101100000010

(You can see why the dotted decimal notation is preferred by humans! But machines can only understand binary). The dotted decimal notation splits these 32 bits up into four blocks of 8. Then represents the 8 bit binary number as its decimal value.

The /16 means only take the first 16 bits into account i.e. 1101000010010011 (208.147.foo.bar) the block will block any address that starts 208.147. no matter what the rest of the digits read.

Likewise a /24 will include the first 24 bits (the first three numbers of the dotted decimal)So 208.147.11.0/24 will block


 * 208.147.11.0 --> 208.147.11.255 inclusive

How to actually work out the block
A /16 and a /24 are easy to see what will happen (because they are multiples of 8) They will block all adresses that have the first 2 (or 3) sections of the dotted decimal IP address in common. Likewise a /8 would block 2563 addresses (except that you are not allowed to do a /8 as it would cut out far too many people in one go). Sometimes however you may not want to block as many as 256 addresses. If we take our earlier example you may only want to block 208.147.11.2 --> 208.147.11.16 In this case you need to actually write out the binary expansion of the last number in the dotted decimal address. Let’s look at how you do that.


 * Write out the following

128 64  32  16  8  4  2  1

Underneath work out the digits of the decimal number

128  64   32   16   8   4   2   1  0     0    0    0   0   0   1   0      (.2)  0     0    0    1   0   0   0   0      (.16)

As you can see the first and last numbers differ only in the last 5 binary digits ( the first three digits (128, 64, 32) are identical. So a suitable block would be 208.147.11.0/27. Note that this would still block some innocent numbers. For example the number 00011101 (.29) would be blocked. In fact this block will block a total of 32 numbers, which is a lot better than blocking 256. If you're really worried you could block 208.147.11.0/28 (which would block .0 to .15) and then block 208.147.11.16 separately.

another example

Just to make sure, let's do another one. Suppose you want to block


 * 121.22.98.187 --> 121.22.98.194

Note the first three numbers of the address are the same so /24 would certainly block everything you want, but again it would block a whole lot more as well. So let's write out 187 and 194 as binary numbers

128  64   32   16   8   4   2   1  1     0    1    1   1   0   1   1  (.187)  1     1    0    0   0   0   1   0  (.194)

They have an identical first digit but differ after that so a 121.22.98.128/25 should do the trick (the 128 is because we set all of the last five digits=0) but note that this blocks 128 addresses when we only want to block 8.

Here splitting the range block into two or more smaller blocks may be a better strategy. For example if we use a /29 block we will lose the last 3 binary digits. Setting the last three digits of .187 to zero gives .184 and 121.22.98.184/29 will block .184 -> .191  that leaves 192 --> 194 which we could block individually or we could do 121.22.98.192/30 which blocks  .192 -->.195. We still have a few innocents addresses caught up in the blocks( .184, .185, .186, .187, .195) but not nearly as many as with a /24 or a /25.

Can't be bothered to work all this stuff out manually? Don't worry there are tools on the net that do all the hard work for you. E.g. netmask calculator

Final words of advice
If you've read the above and think you understand what to do, then do so cautiously. Post a note at the village pump/staff lounge (or whatever the general meeting place is on your wiki) explaining what you have done so that other users can check you haven't done something silly (Like blocking all AOL users).