I have a question regarding the WAF Configuration > Exclusions panel. It is my understanding that if I put an I.P. address that ends in zero (0) (e.g. 199.195.14.0) in the "Never block these IPs field that IP addresses in the entire range will not be blocked. For example, 199.195.14.0 would never block 199.195.14.1 through 199.195.14.256. Is this understanding, correct? The reason I ask is because I'm getting "loginfailure" from users in a similar range which I have excluded this way (199.195.15.0) (see attached). And is there any way that I can print the Username rather than Guest or the name that they entered when someone attempts to Login?
#39315 WAF Exclusions
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
4.3.3
PHP version
8.0.29
Admin Tools version
7.3.4 (PRO)
Latest post by nicholas on Saturday, 05 August 2023 09:34 CDT
Friday, 04 August 2023 13:47 CDT
enclavecoa
Saturday, 05 August 2023 09:34 CDT
nicholas
Akeeba Staff
Manager
No, this is not the case. Using 199.195.14.0 would only exclude that IP address — assuming Joomla didn't change the code I had contributed a very long time ago for parsing IP lists.
You might wonder, but why allow x.y.z.0 IPv4 addresses to be excluded? Aren't they always the network identifier of a Class C network with addresses from x.y.z.1 to x.y.z.254? The answer that they might not always be a network identifier. It depends on the subnet's netmask / CIDR notation. For example, let's say you have an intranet using the subnet 192.168.0.0 with netmask 255.255.0.0 i.e. a class B network using all IPv4 addresses from 192.168.0.1 to 192.168.255.254. This means that the IP address 192.168.1.0 is a valid, routable IPv4 address you can assign to a network client; it is not a network identifier. Therefore, x.y.z.0 addresses cannot be used as shorthand for an entire Class C network. See https://serverfault.com/questions/10985/is-x-y-z-0-a-valid-ip-address for a more nuanced and technical conversation about it, or https://www.techtarget.com/searchnetworking/answer/Can-you-assign-an-IP-address-ending-in-0-or-255 for a more digestible (but not less technically correct) explanation.
To exclude the entire subnet you have to specify so, either using a netmask or a CIDR notation i.e. 199.195.14.0/255.255.255.0 or 199.195.14.0/24. Another way to do that would be specifying an implied netmask notation i.e. 199.195.14. (note the trailing dot).
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!