IP Filter Rules

IP filters are named groups of filter rules that either deny or allow access based on the standard IPv4 or IPv6 address best practice for naming rules.

The format of the IP filter is a text definition that contains one or more lines defining the rules.

Each line starts with either:

  • allow - Permits access from the specified IP address or address range

  • deny - Blocks access from the specified IP address or address range

The address specification can take any of the following forms:

  • all - Applies rule to all IP addresses (wildcard selector)

  • IPv4 or IPv6 address - Applies rule to a single specific address (such as, 192.168.1.100 or 2001:db8::1)

  • IPv4 or IPv6 range using CIDR subnet specification (such as, 192.168.0.0/24 or 2001:db8::/32)

Basic Examples:

Deny access from all IP addresses:

ini
deny all

Allow access from an internal network subnet (IPv4):

ini
allow 192.168.0.1/24

Deny access from a link-local IPv6 address range:

ini
deny fe80::/10
Combined Rule Example:

Rules can be combined for more granular control. Rules are evaluated from top-to-bottom; the first match wins. Deny rules take precedence over allow rules. The following example allows only specific networks, and denies all others.

ini
#   allow 10.0.0.0/24
#   allow 192.168.0.0/16
#   allow fe80::/10
#   deny all

For additional information on IP address specification standards, refer to: