Access Control Lists
The Access Control List (ACL) can be accessed by navigating to the following path in the LoadMaster Web User Interface (WUI): System Configuration > Network Setup > Packet Routing Filter.
The LoadMaster supports a “blacklist” ACL system. Any host or network entered into the ACL will be blocked from accessing any service provided by the LoadMaster.
The ACL is only enabled when the Packet Filter is enabled.
The whitelist allows access to a specific IP address or address range. If the address or range is part of a larger range in the blacklist, the whitelist will take precedence for the specified addresses.
If there are no addresses listed in the blacklist and there are only addresses listed in the whitelist, then only connections from addresses listed on the whitelist are allowed and connections from all other addresses are blocked.
In addition to IPv4 addresses - IPv6 addresses are allowed in the lists if the system is configured with an IPv6 address family. Using a network specifier specifies a network.
For example, specifying the address 192.168.200.0/24 in the blacklist will block all hosts on the 192.168.200.x network.
Below is a table highlighting the scenarios of using Whitelist/Blacklist.
Also, note we do not recommend using a Whitelist & Blacklist on the same VS
Note:
- A static port Virtual Service with an access list defined to block particular traffic will not work correctly if you also have a wildcard Virtual Service on the same IP address. The wildcard Virtual Service will accept the traffic after the static port Virtual Service denies it. It is recommended to use a separate IP address in this case to avoid unexpected behaviour resulting from this interaction.
- Real Server (RS) which are known to the LoadMaster will never be blocked and this is done by design.