HP NonStop SSL Reference Manual Configuration • 53
DENYIP
Use this parameter to specify which remote IP addresses are to be forbidden to establish sessions ("black list").
Parameter Syntax
DENYIP [direction]range
Arguments
direction
Optional character specifying realm on which rules shall be applied
o A = Apply rules on incoming connections only
o C = Apply rules on outgoing connections only
o B = Apply rules on all connections only (*default*)
range
One or more Classless Interdomain Routing (CIDR) format entries specifying an IP subnet or a single host IP
address. Entries have to be separated by comma. The network suffix can be left out for host entries (/32 or /128 will
be assumed then). IPv6/DUAL entries have to be specified in square brackets. Entry types and the corresponding
CIDR format:
o IPv4 address: 10.1.2.196 ( /32 is assumed)
o IPv4 subnet : 10.2.0.0/16
o IPv6 address: [abcd:1111::ab00] ( /128 is assumed)
o IPv6 subnet : [abcd::ef00/120]
o DUAL address: [::ffff:172.0.0.28] ( /128 is assumed)
o DUAL subnet : [::ffff:172.1.1.0/104]
Considerations
• See section "Limiting Remote IP Addresses" (in chapter "Introduction") for the concept of remote IP filtering
• The parameter can be changed at run time using SSLCOM, please see chapter "SSLCOM Command Interface"
for details.
• Backwards compatibility to the former syntax is preserved, however in the mid-term ALLOWIP and DENYIP
should be changed to using CIDR format.
Default
If omitted, HP NonStop SSL will use an empty entry, respectively *DEFAULT* to not forbid any remote IP addresses.
Example
DENYIP 10.0.1.0/24, 10.0.2.0/24, 172.22.22.42
DENYIP A[abcd::ef00/120] , [abcd:1111::ab00] , [::ffff:172.1.1.0/104]
To Next Page
Loading...
Need help?
General