I have created a new global hiera object called abuse_networks which is available in the private repo. This block is currently used to add an iptables DROP rule on an opt in bases as well as the acl rules used in the caching layer.
Currently the mod security solution is deployed on people, gerrit and phab, we could update those machines so that they opt into the iptables blocking method mentioned above, or we could update profile::waf::apache2::administrative to build the admin2 and admin3 files using data present in the abuse_networks object. However before going down that route i wanted to understand the difference between admin2 and admin3. Currently users in the former get a 501 and users in the later get a 500, neither of which seem right and i couldn't see an explanation explaining the difference. Further the admin2 and admin3 files still contain a very large amount of address space from a previous incident. Is this list still valid or can we revise and reduce it, in its current form, i think its far to overreaching to be used on the caching layer