How to add ACL (Access Control) rules to whitelist / block IP addresses

Introduction

Access Control Lists (ACLs) are used for rejecting or allowing connecting clients by IP address (or CIDR). This can complement or replace banning addresses on your backend server.

ACLs provide a simple and efficient way to control access to your services based on IP addresses. They are ideal when you need straightforward allow/deny rules without the advanced matching capabilities of Layer 4 Rules.

By default there are no ACLs deployed and any client can connect to your service.

CIDR Format

ACLs are expressed as a list of CIDRs. CIDR (Classless Inter-Domain Routing) format refers to a way of specifying an IP range or single IP address. It provides maximum flexibility in defining rules.

How CIDR works: CIDR notation appends a slash character and a number to an IP address. The number represents the count of leading bits in the routing prefix: - For IPv4: 192.168.2.0/24 - For IPv6: 2001:db8::/32

A single IP address uses: - /32 for IPv4 (e.g., 8.8.8.8/32) - /128 for IPv6

CIDR examples:

0.0.0.0/0 - All IPv4 addresses
8.8.8.8/32 - Just 8.8.8.8
192.168.2.0/24 - IPs in the range 192.168.2.0 - 192.168.2.255 (256 addresses)
10.0.0.0/8 - IPs in the range 10.0.0.0 - 10.255.255.255 (16,777,216 addresses)

Common subnet sizes: - /32 - Single IP (1 address) - /24 - Small network (256 addresses) - /16 - Medium network (65,536 addresses) - /8 - Large network (16,777,216 addresses)

For more information on CIDRs please see this article on CIDRs.

Layer 4 ACLs

ACLs on TCP and UDP ports are expressed as a list of IP addresses or CIDR ranges to either Allow (whitelist mode) or Deny (blacklist mode).

How they work: - Whitelist mode (Allow): Only specified IP addresses/ranges can connect. All others are blocked. - Blacklist mode (Deny): Specified IP addresses/ranges are blocked. All others can connect.

When to use Layer 4 ACLs: - Simple IP-based allow/deny rules - Blocking known malicious IPs - Restricting access to specific networks or countries - Quick temporary blocks during an attack

Limitations: Layer 4 ACLs provide basic IP filtering only. For more advanced control over connecting clients, including packet inspection, rate limiting, and BPF expressions, use the Layer 4 Rules system.

HTTP ACLs

ACLs on HTTP ports are executed from top to bottom, with the first matching rule taking effect. This is different from ACLs at Layer 4 where the mode (Allow/Deny) applies to all rules.

Evaluation order: Rules are processed sequentially. Once a rule matches, that action is applied and no further rules are evaluated for that IP.

Example configuration:

1) deny    192.168.1.1
2) allow   10.1.1.0/16
3) allow   192.168.1.0/24
4) deny    0.0.0.0/0

How this works: - Rule 1: Blocks 192.168.1.1 specifically - Rule 2: Allows all IPs in 10.1.1.0/16 (10.1.1.0 - 10.1.255.255) - Rule 3: Allows all IPs in 192.168.1.0/24 (except 192.168.1.1, already denied by Rule 1) - Rule 4: Denies all other IPs (0.0.0.0/0 means all addresses)

Result: Only clients from 10.1.1.0/16 and 192.168.1.0/24 (excluding 192.168.1.1) can access the server.

Best practices: - Place more specific rules (single IPs, smaller CIDRs) before broader rules - Use a catch-all deny rule at the end when implementing a whitelist - Test your rules carefully to avoid accidentally blocking legitimate traffic

ACLs are independent of mitigation rules. For more advanced control over connecting clients and the requests they make, use the Layer 7 Rules system.

Blocklists

We provide preset blocklists at both Layer 4 and Layer 7 levels for blocking common sources of unwanted traffic:

Available blocklists: - TOR Exit Nodes: Automatically updated list of Tor network exit points - VPN Providers: Known VPN and proxy service IP ranges - Datacenter/Hosting Networks: Cloud and hosting provider IP ranges

How they work: Blocklists are executed after and separately from your custom ACL processing. This means: - Your ACL rules are evaluated first - If no ACL rule matches, blocklist rules are then checked - Blocklists are automatically maintained and updated

When to use blocklists: - Blocking anonymizing services (Tor, VPNs) - Preventing bot traffic from datacenters - Reducing automated attacks without managing IP lists manually

For more information, see the IP Blocklists article.

Tips and Best Practices

General tips: - If an IP address is entered without a CIDR suffix, it defaults to /32 (just that single IP) - A CIDR is sometimes referred to as an IP Network or IP Block - Use a Subnet Calculator to help with CIDR calculations

Performance considerations: - ACLs are very efficient and can handle large lists - More specific rules (smaller CIDRs) are generally better than broad ranges - Consider using blocklists for common categories instead of maintaining large custom lists

Security recommendations: - Regularly review and update your ACL rules - Remove temporary blocks that are no longer needed - Document the reason for each rule (use comments if available) - Test ACL changes carefully to avoid blocking legitimate users

Choosing between ACLs and Layer 4 Rules: - Use ACLs for simple IP-based allow/deny - Use Layer 4 Rules when you need: - BPF packet filtering - Rate limiting - TCP option matching - Complex matching conditions