Does Discourse handle blocking of IPv6 okay?


(Theo) #1

We’ve got a troll who keeps coming back and it’s true that he has a new IP each time but it’s relatively easy for me to spot him and stop him based on his location coming up and his style. Mostly he has IPv6 IPs

What I noticed was that Screened IPs shows a couple of his:

But they’re not the full IP. When I put 2001 into the Search box on the top right it brings up nothing, whereas if I do, say, ‘81’, I get a couple of IPv4s come up.

Anyway, all of his IPv6 addresses begin
2001:2012:208:2a00
so I’d like to do a block mask on that basis but I’m not sure if masks are possible but I assume they are. However, since the full IP isn’t showing on this screen I wasn’t sure what that meant in terms of doing such a block?

Thanks


(Theo) #2

Apologies, if I click to edit I see the full IP with a /128 at the end, so maybe I can mask ban?


(Jeff Atwood) #3

Yes, in fact repeated spam blocks will automatically roll up IP address blocks to increasingly large subnets, such as 255.255.255.* and 255.255.*.*

I’m not sure what this code does with IPv6 though… cc @mpalmer @zogstrip


(Régis Hanol) #4

I reckon I didn’t test IPv6 blocks. Added to my list.


(Michael Brown) #5

I can confirm that if you add a block for an IPv6 range (e.g. 2001:2012:208:2a00::/64) it’ll work as expected:

image

but we do need to fix search and the column width.

As for the automatic roll-up, we probably want to do something like:

  • if we have ≥3 blocks in the same IPv6 /64, then summarize to blocking that /64

(Theo) #6

Thanks a lot for this.

I did briefly try one with four stars in between the remaining colon blocks and /128 at the end but it was rejected as in error.