IP Filter Rules
IP filters are named groups of filter rules that either deny or allow access based on the standard IPv4 or IPv6 address best practice for naming rules.
The format of the IP filter is a text definition that contains one or more lines defining the rules. Each line starts with either:
allow
- allow the IP address or address rangedeny
- deny the IP address or address range
The address specification can take of the form of:
all
applies to all IP addresses.IPv4 or IPv6 address - applies to only a single address
IPv4 or IPv6 range using CIDR subnet specification
For example:
deny all
would deny access from all IP addresses.
To allow an internal user to access from their laptop by setting a single IPv4 subnet:
allow 192.168.0.1/24
To deny access from an IPv6 range:
deny fe80::/10
These rules can be combined, with deny rules taking precedence over allow rules. For example, to deny access to all hosts, allow access for a single IP range, but deny access to a single host the IP filter would be:
deny all
allow 192.168.0.1/24
deny 192.168.0.80
For more information on IP address specification, see https://tools.ietf.org/html/rfc5735 and https://tools.ietf.org/html/rfc5156.