Wildcard whitelist of IP addresses

[dchunt15]

I like NoScript but I need to whitelist some private IP addresses for various servers I need to access. Is there a way to whitelist a subnet such as 192.168.10.0? Or somehow use wildcards with an IP address? I have tried 192.168.10.* or 192.168.* and that doesn't seem to work.

Thanks,

Dan

[therube]

Site matching

How to write this user ruleset?

[Tom T.]

@ coltswalker:

I like NoScript but I need to whitelist some private IP addresses for various servers I need to access. Is there a way to whitelist a subnet such as 192.168.10.0? Or somehow use wildcards with an IP address? I have tried 192.168.10.* or 192.168.* and that doesn't seem to work.

Thanks,

Dan

Correct Answer:Just enter 10.168.10 for whitelist the C block or 192.168 for whitelist the B block. NoScript * != wildcard and cidr std not apply.

The correct answer was on one of the several links in that guys response. But people like me want a FAST answer and this thread is what Google spit out on a search. So, in the sake of not being lazy, I provide above.

The Forum Rules, in the very first rule, request that users search the FAQ and the forum *before* posting. This user did not, which is common.
Therefore, therube did the OP a courtesy by pointing to the threads with the answers.

But people like me want a FAST answer

And people like me, and therube, and the rest of the support team, are *unpaid volunteers* who *donate spare time* to helping users.

The product is free. The support is free. If you want FAST answers from a 24/7, full-time, paid support team, then a donation of a few hundred thousand dollars, euros, or pounds would probably fund that for some number of months.

Super-sizing the IPs was unnecessary, and apparently in line with the general (sarcastic, negative) tone of the message. They've been edited to normal size. Don't revert them, if you wish to remain welcome here.

this thread is what Google spit out on a search. So, in the sake of not being lazy, I provide above

OP could have made that search, too...

Your reply to therube was uncivil and personally insulting, aside from the disrespect of referring to a Moderator with more than 3,000 posts as "that guy". Please re-read the Forum Rules, which you surely read on your first visit here -- they're posted at the top of every forum, in CAPS, saying "PLEASE READ THIS FIRST!". Especially #4.

Consider this a warning. There will not be a second warning. Further violations will result in deletions of posts and even banning from the Forum.

[therube]

I gather this was a recent PM or something from coltswalker?

> And people like me, and therube, ... are *unpaid*

You mean you don't get paid ?

> uncivil and personally insulting

I never saw the post. Plus I could care less if it were uncivil and personally insulting .

[Tom T.]

I gather this was a recent PM or something from coltswalker?

It was a post right after yours. See the post in our private forum for the details.

> And people like me, and therube, ... are *unpaid*

You mean you don't get paid ?

Well, yes, I do, but I didn't want to say anything, in case some others weren't.

(Users: He's joking. So am I. Actually, therube paid Giorgio to let him be on the team. - another friendly jest. )

> uncivil and personally insulting

I never saw the post. Plus I could care less if it were uncivil and personally insulting .

I think you mean "I couldn't care less". "I could care less" means that you do, in fact, care to some degree.

The quoted parts in my reply were sufficient to justify the response.

I care. And perhaps Giorgio cares, especially because his name and reputation ride on this forum as well as on his products.
He must care, because he personally approved the Forum Rules before they were posted.
And perhaps other Mods care, and perhaps many users and guests care.

Actually, I've never seen a forum that *didn't* have a rule against incivility and disrespect to other users, Mod or not. And IIRC, when you register, you have to check a box that you've read the default PHPbb Forum Rules, which in fact go into much greater detail.

It sets a bad precedent for others to allow such things to go unnoticed, and a good precedent to reinforce that this forum intends to stay user-friendly to all.

[GµårÐïåñ]

If you simply whitelist 192.168 you will have access to the whole range by default or narrow it further like your example by just whitelisting 192.168.10 and it will do it for everything that comes up in that range. Simple as that. Its been discussed before on the forum and a search would have given you the answer. This would work with any other private IP ranges as well, like the 10s and 172s, such as:

Code: Select all

RFC1918 name 	IP address range
24-bit block 	10.0.0.0 – 10.255.255.255
20-bit block 	172.16.0.0 – 172.31.255.255
16-bit block 	192.168.0.0 – 192.168.255.255

so if you put any part of those addresses in the whitelist, you will automatically allow the addresses that match them without having to allowing them individually.

[Tom T.]

Actually, I've never seen a forum that *didn't* have a rule against incivility and disrespect to other users, Mod or not. And IIRC, when you register, you have to check a box that you've read the default PHPbb Forum Rules, which in fact go into much greater detail.

For unrelated research purposes, I recently created a new account as a regular user, not a Moderator.
And indeed, before proceeding, I had to agree to *PHP* Terms and Conditions, long before even competing registration, much less logging in to the Forum.

Partial:

You agree not to post any abusive, obscene, vulgar, slanderous, hateful, threatening, sexually-orientated or any other material that may violate any laws be it of your country, the country where “InformAction Forums” is hosted or International Law. Doing so may lead to you being immediately and permanently banned, with notification of your Internet Service Provider if deemed required by us. The IP address of all posts are recorded to aid in enforcing these conditions. You agree that “InformAction Forums” have the right to remove, edit, move or close any topic at any time should we see fit. As a user you agree to any information you have entered to being stored in a database.....

[BSDard]

Adding subnets in the white-list does not work.
I added:
172.24 <- which should have allowed access to 172.24.0.0/16 but it did not.

[coogor]

Adding subnets in the white-list does not work.
I added:
172.24 <- which should have allowed access to 172.24.0.0/16 but it did not.

Yes, I would be interested to know as well how subnets are allowed in NoScript.
Actually I use Airdroid to Sync my laptop and my cellphone, and each time I have to allow 192.168.2.anything instead of just applying 192.168.*.* (or as above, /16)

[GµårÐïåñ]

For the record, 172.24.0.0 is not a /16, the private range for 172, is 172.16.0.0/12 otherwise, you using 172.24.0.0/16 would exceed the permitted private range allowable from 172.16.0.0-172.31.255.255, so you need to check your CIDR mask.

Allowable private address ranges are:

Single Class A - 10.0.0.0/8 - 16,777,216 addresses and goes through 10.255.255.255
16 Contiguous Class B - 172.16.0.0/12 (only this part is private, the rest is public) - 1,048,576 addresses and goes through 172.31.255.255
256 Contiguous Class C - 192.168.0.0/16 - 65,536 addresses and goes through 192.168.255.255

[unregistereduser293764]

Sorry for bumping old thread but google has some annoying addresses that I tried to whitelist - e.g.

X.client-channel.google.com (where X is a number; seen in gmail)

YYYYYYY.googlevideo.com (where YYYYYYY is a random-ish string; seen in youtube)


I want to whitelist these for HTTPS but not HTTP so I tried like this:

https://*.googlevideo.com:0

as instructed in the NoScript support site. But it does not seem to work. Is there a working way to whitelist sites using wildcard rules?

[barbaz]

Sorry for bumping old thread

Apology accepted, note that per Forum Rules we don't mind this per se.

I want to whitelist these for HTTPS but not HTTP

What you are looking for is along the lines of FAQ 8.10. Whitelist the full domains, then
NoScript Options > Advanced > ABE; add this rule to USER

Code: Select all

Site ^https://(?:[^/:]+\.)?googlevideo\.com ^https://\d+\.client-channel\.google\.com
Accept

# emulate script-blocking instead of outright Deny INC
Site .googlevideo.com .client-channel.google.com
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox

[Thrawn]

https://*.googlevideo.com:0

The regular script blocking cannot specify a protocol and yet use a wildcard domain. I would quite like to have that ability, actually, in cases where sites use many numbered subdomains.

[unregisteredsomething3241]

Sorry for bumping old thread

Apology accepted, note that per Forum Rules we don't mind this per se.

I want to whitelist these for HTTPS but not HTTP

What you are looking for is along the lines of FAQ 8.10. Whitelist the full domains, then
NoScript Options > Advanced > ABE; add this rule to USER

Code: Select all

Site ^https://(?:[^/:]+\.)?googlevideo\.com ^https://\d+\.client-channel\.google\.com
Accept

# emulate script-blocking instead of outright Deny INC
Site .googlevideo.com .client-channel.google.com
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox

Thanks very much for this information! Some more questions about this:

1) Is it necessary to have all these rules under one "Site" section, or is it possible to have multiple rules like this:

Code: Select all

Site <regex>xxx.y
Accept

Site <regex>ppp.q
Accept

Site .xxx.y .ppp.q
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)

2) Twitch has domains like this:

vodXXX-ttvnw.akamaized.net

Where XXX is a number, for example, 022. How to allow these? Does this work?

Code: Select all

Site ^https://vod\d+\-ttvnw\.akamaized\.net
Accept

Site .akamaized.net
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)

[barbaz]

1) Either way would work in that case, I'd think.

2) Almost. You're missing a "Sandbox" on the end of that rule.

Code: Select all

Site ^https://vod\d+\-ttvnw\.akamaized\.net
Accept

Site .akamaized.net
Deny INC(SCRIPT, OBJ, FONT, XHR, MEDIA)
Sandbox