IP Filter Rules

IP filters are named groups of filter rules that either deny or allow access based on the standard IPv4 or IPv6 address best practice for naming rules.

The format of the IP filter is a text definition that contains one or more lines defining the rules. Each line starts with either:

  • allow - Permits access from the specified IP address or address range

  • deny - Blocks access from the specified IP address or address range

The address specification can take any of the following forms:

  • all - Applies rule to all IP addresses (wildcard selector)

  • IPv4 or IPv6 address - Applies rule to a single specific address (such as, 192.168.1.100 or 2001:db8::1)

  • IPv4 or IPv6 range using CIDR subnet specification (such as, 192.168.0.0/24 or 2001:db8::/32)

Basic Examples:

Deny access from all IP addresses:

ini
deny all

Allow access from an internal network subnet (IPv4):

ini
allow 192.168.0.1/24

Deny access from a link-local IPv6 address range:

ini
deny fe80::/10
Combined Rule Example:

Rules can be combined for more granular control. Deny rules take precedence over allow rules. The following example denies all access by default, allows access from a specific network range, but explicitly denies access from one host within that range:

ini
deny all
allow 192.168.0.1/24  
deny 192.168.0.80

For additional information on IP address specification standards, refer to: