IP Filter Rules

IP filters are named groups of filter rules that either deny or allow access based on the standard IPv4 or IPv6 address best practice for naming rules.

The format of the IP filter is a text definition that contains one or more lines defining the rules. Each line starts with either:

  • allow - allow the IP address or address range

  • deny - deny the IP address or address range

The address specification can take of the form of:

  • all applies to all IP addresses.

  • IPv4 or IPv6 address - applies to only a single address

  • IPv4 or IPv6 range using CIDR subnet specification

For example:

ini
deny all

would deny access from all IP addresses.

To allow an internal user to access from their laptop by setting a single IPv4 subnet:

ini
allow 192.168.0.1/24

To deny access from an IPv6 range:

ini
deny fe80::/10

These rules can be combined, with deny rules taking precedence over allow rules. For example, to deny access to all hosts, allow access for a single IP range, but deny access to a single host the IP filter would be:

ini
deny all
allow 192.168.0.1/24
deny 192.168.0.80

For more information on IP address specification, see https://tools.ietf.org/html/rfc5735 and https://tools.ietf.org/html/rfc5156.