Creating an Access Control List (ACL)

The short answer is yes. The LoadMaster has ACL functionality that is configurable as global setting, as well as on a per-Virtual Service basis.  

To configure a global ACL, access the LoadMaster Web User Interface (WUI) and go to System Configuration > Network Setup > Packet Routing Filter.

Alternately, configure the ACL on a per-Virtual Service basis. In the Virtual Service modify screen, expand the Advanced Properties section and click Access Control.

On this screen, host addresses or complete subnets can be added to a white list or black list. Once an address is added to the white list, all requests from other addresses will automatically be denied access. This is a common configuration for SMTP Virtual Services because administrators can outline their spam filters as the only IP addresses allowed to make requests to this particular Virtual Service.

Alternatively, if you were to add a series of addresses to the black list, those clients would not be able to gain access to the services hosted on the LoadMaster. This can be used to mitigate a Denial Of Service (DOS) attack if other countermeasures are not available.

In the event your host's IP address could fall into two or more of the white list/black list rules - the rule with the highest netmask will prevail. Often while specifying a single IP address, administrators will receive the error message "Invalid network specification prefix is invalid for specified network".  This is due to the requirement of a CIDR style netmask. Adding '/32' to the end of the IP address in question will typically resolve this issue.   

Was this article helpful?

0 out of 0 found this helpful




a import fact... when you set a ACL on a VS and remove it from the VS and you have no other ACLs configured. The packet Filter remains activated.

tested FW:

best regards