Banning people connecting clients can be done from the dashboard or on your own backend (HTTP). What differs is how far the connecting client gets before being rejected. This article covers banning clients at the proxy or tunnel edge.

By default when no rules are specified any client can connect.

CIDR Format

CIDR format refers to a way of referring to an IP range (or single IP). It allows for maximum flexibility in rules. It appends to the address a slash character and the decimal number of leading bits of the routing prefix, e.g., 192.168.2.0/24 for IPv4, and 2001:db8::/32 for IPv6.

Common CIDR rules

0.0.0.0/0 - All IP addresses
8.8.8.8/32 - Just 8.8.8.8
192.168.2.0/24 - 192.168.2.1 - 192.168.2.255

HTTP ACLs

Rules are executed from top down, the first matching rule is the one that takes affect. For example the following example.

1) deny    192.168.1.1;
2) allow   10.1.1.0/16;
3) allow   192.168.1.0/24;
4) deny    0.0.0.0/0;

This configuration specifies that only 10.1.1.0/16 and 192.168.1.0/24 (with the exception of 192.168.1.1) are allowed to access the server.

Notes

  • If an IP address is entered without a CIDR suffix, it will default to /32 (aka just that IP).

  • A Subnet Calculator exists to help with the calculations.