Error - You cannnot ban this IP - it is non-routable! Error - You cannnot ban this IP - it is non-routable!
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Error - You cannnot ban this IP - it is non-routable!

Started by russian_knight, June 22, 2004, 08:56:27 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

russian_knight

Hello. I got this message when i want to ban ip 10.151.112.26, for example. Why?
Thanks a lot!

Nibbler

Because the internet standard RFC 1918 defines 10.xxx.xxx.xxx addresses to be private LAN addresses, and are not real internet addresses. If you like you can remove '10.', from the $illegal_ip array in banning.php, to allow coppermine to set a ban, but I'm not sure if it will work, the restriction is probably there for a good reason.

omniscientdeveloper

I vote to remote any unroutable ips from the ban list, just in case someone uses Coppermine for an intranet site that's setup on local-ips.


-omni

Joachim Müller

I added the non-routables to the ban list deliberately to avoid stupid users banning al lot of people. Imagine a silly person banning 192.168.x.x (the most common among home users afaik) - it would result in millions of pc's being banned.
But I'll add a switch in config to make it an admin settable option if you agree.

Gaugau

russian_knight

Quote from: GauGau on June 23, 2004, 05:42:02 AM
But I'll add a switch in config to make it an admin settable option if you agree.

Thank you. It will be nice if you post here a message when you do it and i coud get this file from cvs.

Yes, i`m using Coppermine in LAN and we all have these adresses.

By the way, in wich units (min\hour\day\week) i must add expire of ban?

Joachim Müller

just edit banning.php, find$illegal_ip = array('192.168.','10.','172.16.','172.17.','172.18.','172.19.','172.20.','172.21.','172.22.','172.23.','172.24.','172.25.','172.26.','172.27.','172.28.','172.29.','172.30.','172.31.','169.254.','127.', '192.0.','1.0.0.0','204.152.64.','204.152.65.'); and remove those entries from the list you want to be able to ban.

GauGau

omniscientdeveloper

#6
Quoteit would result in millions of pc's being banned.

Not so. 192.168.x.x, 10.x.x.x, etc. don't get routed. Hence, unless Coppermine is installed somewhere local to the user's computer a LAN (not WAN) their computer won't be blocked. I have a 192 network setup at home, but my INTERNET ip is totally different. The ip being stored on my router, makes all my computers look like the same computer to the internet. If this ip is blocked, then none of my computers on my LAN can access the site. So, blocking  (or not being able to block) unroutable ips only affects users that have Coppermine installed on a LAN, not a server hosted on the internet ( WAN ). :)


-omni

Joachim Müller

sure, but we're talking about an intranet, don't we? My company's intranet is on the WAN, all clients IP addresses get routed inside our net. If I ban a client by his IP address, he is banned. Of course the local IP # get translated (NAT) when accessing the internet...

GauGau

omniscientdeveloper

QuoteMy company's intranet is on the WAN, all clients IP addresses get routed inside our net.

Right. You can have a LAN on WAN only through the use of VPNs. The point is that if you have Coppermine installed on your LAN, it'll only be accessible by people on your LAN, unless you do some forwarding to allow people outside to access it, in which case they're accessing a totally different IP via the WAN, since the LAN address is unroutable.

QuoteIf I ban a client by his IP address, he is banned. Of course the local IP # get translated (NAT) when accessing the internet

Exactly. If the server (where Coppermine is hosted) is on the LAN this will work. If the server in on a WAN, it won't. If the client computer's ip is unroutable, they'll be using some sort of NAT to access the WAN, so in effect you'll be banning the NAT server's ip, not the client computer.


Actually, all this doesn't matter, since you're doing an admin switch to allow a user to ban a LAN ip.  :D But I still think it should just be removed totally.  ;)