Page MenuHomePhabricator

Allow single IPs to be whitelisted out of a globally blocked range
Closed, DuplicatePublic

Description

We're globally blocking colo subnets containing spambots/open proxies/anonymization services. It would be *so* needed to be able to whitelist a single IP included into a globally blocked range, so we'll be able to allow people with legit VPNs to edit, without any breach in our antispam strategy.

NOTE: in my steward's capacity I, for one, would need such this feature at least twice a week.

Event Timeline

Vituzzu raised the priority of this task from to Needs Triage.
Vituzzu updated the task description. (Show Details)
Vituzzu subscribed.
Vituzzu set Security to None.

Isn't that why we have IP block exemption?

If we have one valid user, then we usually have many others, so I would prefer that we break the block down to smaller ranges, use soft blocks, etc.

Isn't that why we have IP block exemption?

Which mean an user can use any blocked IP, whitelisting a single ip we'll allow users to use a single blocked IP.
Also it will work with organizations using VPS endpoints.

If we have one valid user, then we usually have many others, so I would prefer that we break the block down to smaller ranges, use soft blocks, etc.

Breaking blocks increases administrative overhead, while soft blocks lower security.

If we are having valid users being blocked continually, then the blocks are too broad and/or too harsh. The purpose of a block is to try to find the sweet spot for protection and editing. Too harsh a block is punitive and to me sounds as though maybe a series of smaller blocks. Too harsh a block has far broader impact than too soft a block.

If we are having valid users being blocked continually, then the blocks are too broad and/or too harsh.

Nope, most of times it means they have a certain kind of network infrastructure.

I know this doesn't answer the entire question (since I assume you're wanting to white list an IP within the range globally) this 'does' work if on a local white list basis right? (a local admin could white list 1 IP in a global block range for the local wiki). I have not tried this, so it may not work, but logically I feel it 'would'.

Glaisher added a project: GlobalBlocking.
Glaisher subscribed.

I know this doesn't answer the entire question (since I assume you're wanting to white list an IP within the range globally) this 'does' work if on a local white list basis right? (a local admin could white list 1 IP in a global block range for the local wiki). I have not tried this, so it may not work, but logically I feel it 'would'.

Logically, one would expect it to work that way but only IP addresses or ranges that are globally blocked can be whitelisted. It's not possible to whitelist a subset of it even locally. I have filed T121098.