Searching ALOHA 12.5
Whitelisting Source IPs
Whitelisting Source IPs
Traffic coming from IPs in the whitelist is accepted, regardless the TCP/UDP port filtering policies.
The size of both whitelists and blacklists cannot go over more than 512 different class C networks.
Setting IP address or IP range
PacketShield accepts two types of IP addresses:
Single host, i.e.: 10.0.0.1
IP range based on class C networks, 10.0.0.0-255 or 10.0.0.10-20
Note
IP range is inclusive, which means that the lower and upper IP addresses describing the range are included in the range when matching packets.
Use sysfs entry
PacketShield can manage source IP whitelist through the sysfs entry /sys/packetshield/<instance name>/<context id>/w_sources
.
Add an IP to a whitelist
When you add an address to the IP source whitelist, it is automatically removed from the blacklist.
sysfs
Write the IPv4 address or range prefixed by character +
in the sysfs entry.
To add a single host:
$ echo "+10.0.2.3" > /sys/packetshield/myinst/Other/w_sources
To add a whole class C subnet:
$ echo "+10.0.3.0-255" > /sys/packetshield/myinst/Other/w_sources
To add 11 consecutive IPs of the same range:
$ echo "+10.0.4.10-20" > /sys/packetshield/myinst/Other/w_sources
GUI
Use the statement <instance name>/<context id>/w_sources
followed by the IP address or range.
To add a single host:
<instance name>/<context id>/w_sources 10.0.2.3
To add a whole class C subnet:
<instance name>/<context id>/w_sources 10.0.3.0-255
To add 11 consecutive IPs of the same range:
<instance name>/<context id>/w_sources 10.0.4.10-20
Remove an IP
Removing an IPv4 address in the middle of a range in the same class C network will split the range into two ranges.
sysfs
Write the IPv4 address or the range prefixed by the character -
in the sysfs entry.
$ echo -10.0.3.100 > /sys/packetshield/myinst/Other/w_sources
$ echo -10.0.4.10-15 > /sys/packetshield/myinst/Other/w_sources
GUI
Remove the statement <instance name>/<context id>/w_sources <IP address>
that matches the IP address or range.
If the IP address to remove is in the middle of an existing range, then provide the rules to follow.
To remove the IP address 10.0.3.100 from the subnet 10.0.3.0/24:
myinst/Other/w_sources 10.0.3.0-99
myinst/Other/w_sources 10.0.3.101-255
List IPs
This function is only available using the CLI.
To list IPs currently configured in the source IP white list, read the content of the sysfs entry. It displays one IPv4 address or range on a class C network per line.
$ cat /sys/packetshield/myinst/Other/w_sources
10.0.2.3
10.0.3.10-20
10.0.4.0-255