Variable | IP_FILTER_NOTIFIERS | |
Introduced Version | 1.17 | |
Description | IP-based access control list (ACL) for outgoing connections made by notifiers. Replaced by IP_FILTER_NOTIFIERS |
LogScale includes an IP-based access control list (ACL) for outgoing connections made by notifiers. This is to protect from LogScale being used to proxy requests into the same internal network as LogScale and alerts being used to e.g. sending requests to ZooKeeper. By default, this denies connecting to any reserved IP as defined by RFC 5735 and RFC 5156. This includes the standard ranges for internal networks, meaning that, by default, LogScale will not be able to send alert notifications to other services on the same internal network.
The syntax of the ACL list is a sequence, separated by newlines or
;
, of
allow
or
deny
actions along with a CIDR block
or all
. An IP address is
allowed/denied by finding the first match and applying the corresponding
action. all
matches any IP-address
(IPv4 or IPv6). If there is no match in the ACL list specified in the
configuration parameter IP_FILTER_NOTIFIERS
, the default
ACL list will be applied. If that has no match either, the connection is
allowed.
The default ACL list is as follows:
# From https://tools.ietf.org/html/rfc5735
deny 0.0.0.0/8
deny 10.0.0.0/8
deny 127.0.0.0/8
deny 169.254.0.0/16
deny 172.16.0.0/12
deny 192.0.0.0/24
deny 192.0.2.0/24
deny 192.88.99.0/24
deny 192.168.0.0/16
deny 198.18.0.0/15
deny 198.51.100.0/24
deny 203.0.113.0/24
deny 224.0.0.0/4
deny 240.0.0.0/4
deny 255.255.255.255/32
# From https://tools.ietf.org/html/rfc5156
deny ::/128
deny ::1/128
deny fe80::/10
deny fc00::/7
deny ff00::/8
To get the old behavior of allowing all IP addresses in notifiers:
IP_FILTER_NOTIFIERS=allow all
To only allow 192.168.0.16
but still
keeping other internal addresses blocked:
IP_FILTER_NOTIFIERS=allow 192.168.0.16
To only allow 192.168.0.16
and block
all other addresses:
IP_FILTER_NOTIFIERS=allow 192.168.0.16; deny all