Falcon LogScale Documentation

From version 1.17, Humio includes an IP-based access control list (ACL) for outgoing connections made by actions. This is to protect Humio from being used to proxy requests into the same internal network as Humio. It also protects against actions being used, for example, to send requests to Zookeeper.

By default, this denies connections to any reserved IP address as defined by RFC 5735 and RFC 5156. This includes the standard ranges for internal networks. That means that, by default, Humio won't be able to send messages from actions to other services on the same internal network.

The syntax of the ACL list is a sequence, seperated by newlines or ;, of allow or deny actions, along with a CIDR block or all. An IP address is allowed or denied by finding the first match and applying the corresponding action. The all value matches any IP-address (i.e., IPv4 or IPv6).

# From https://tools.ietf.org/html/rfc5735
deny 0.0.0.0/8
deny 10.0.0.0/8
deny 127.0.0.0/8
deny 169.254.0.0/16
deny 172.16.0.0/12
deny 192.0.0.0/24
deny 192.0.2.0/24
deny 192.88.99.0/24
deny 192.168.0.0/16
deny 198.18.0.0/15
deny 198.51.100.0/24
deny 203.0.113.0/24
deny 224.0.0.0/4
deny 240.0.0.0/4
deny 255.255.255.255/32

# From https://tools.ietf.org/html/rfc5156
deny ::/128
deny ::1/128
deny fe80::/10
deny fc00::/7
deny ff00::/8

IP_FILTER_ACTIONS="allow all"

IP_FILTER_ACTIONS="allow 192.168.0.16"

IP_FILTER_ACTIONS="allow 192.168.0.16; deny all"