IP Blocking

Note

If you have the Security Suite, this document is superseded by Configuring Security Rules in the Portal.

From this page you can block or issue warnings on requests based on their IP addresses.

Note

The Configuration Management API also allows blocking and throttling based on User Agents and geographical information. See Security Configuration for details.

Also note that the portal only allows you to add and edit rules for blocking of IP addresses at the property level.

To open the IP Blocking page, click on IP Blocking on the main navigation, or click on the IP Blocking feature card on the Available Settings view of the Property Overview screen:

Blocking Configuration page

The page has two tabs, IP Blocking Rules, and Exceptions - IP Address White List. Each displays a table sortable by column headers.

On the IP Blocking Rules tab (open by default when you land on the page), you can see a list of existing rules, create a new rule, and edit and delete existing ones.

Note

Existing IP addresses in the IP Rules column are expressed in CIDR notation. For more information, see About CIDR notation below.

Create a new rule

Click the Create Rule button and you will see the following fields:

Note

If you attempt to add a new rule that has the same action (block or warn) as an existing rule, you will be prompted to edit the existing rule or change the response action.

First comes Rule Action, a pair of radio buttons that allow you to define if your rule's action type is Block or Warn me about IP Address. In the first case, traffic from a matching IP will be blocked; in the second, you will receive an alert that a request was received from a matching IP.

Next is Rule Condition. Here you can select to match a single IP address by selecting If the IP matches this IP Address and entering the desired IP in the text field, or select IP address is within this IP range and provide an IP address range, one in the From field and the other in the To field.

Exceptions

You can also at this point add an exception to the rule. Click on the pulldown and choose either Single IP Address or Range of IP Addresses.

If you choose Single IP Address, enter the desired IP address in the field, then click the green Add button to the right:

Adding single IP address exception to a IP blocking rule

You can repeat this and add any number of individual IP addresses you want:

Adding additional IP address exception to a IP blocking rule

(Note that once you have added an IP address, it will be displayed as a CIDR number.)

If you choose Range of IP Addresses, enter a range by specifying From (the start of the range) and To (the end of the range) addresses:

Adding range of IP addresses for an exception to an IP blocking rule

By repeatedly selecting exception type, entering the appropriate IP addresses, and clicking Add, you can specify any combination of single IP addresses and ranges. If you make a mistake, click Remove next to the IPs you want to remove.

When you have finished specifying the rule, click Save IP Blocking Rule, or click Cancel to abandon the new rule.

About CIDR notation

CIDR notation is a compact representation of an IP address and its associated routing prefix. The notation is constructed from an IP address, a slash ('/') character, and a decimal number. The number is the count of leading 1 bits in the routing mask, traditionally known as the network mask. The IP address is expressed according to the standards of IPv4 or IPv6.

The address may denote a single, distinct interface address or the beginning address of an entire network. The maximum size of the network is given by the number of addresses that are possible with the remaining, least-significant bits below the prefix. The aggregation of these bits is often called the host identifier.

For example:

192.168.100.14/24 represents the IPv4 address 192.168.100.14 and its associated routing prefix 192.168.100.0, or equivalently, its subnet mask 255.255.255.0, which has 24 leading 1-bits.

The IPv4 block 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to 192.168.103.255.

Note that all IP addresses are converted to CIDR numbers when you save them. For example, if you enter the single IP address 192.168.100.001, when you click Save New Setting, it will be displayed in the next page as 192.168.100.001/32.

There is also a CIDR Range Converter that allows you to manually enter a range of IP addresses by the beginning and end of the range. For example, if the range was 32.0.0.0 to 32.255.255.255, the CIDR range that results is 32.0.0.0/8.

As another example, if you entered a range of 192.168.100.000 to 192.168.100.001 (a range of just two IP numbers). This means the last bit can be either a 1 or a 0. 31 leading 1-bits would mean all but the last bit would be left as is, leaving 2 values. So the correct CIDR range for these two IPs would be 192.168.100.0/31.

Now say you want 192.168.100.000 thru 192.168.100.009 (a range of 10 IP numbers). This becomes a bit (pardon the pun) more complicated. Because a single CIDR can only express a power of 2, it can express 1, 2, 4, 8, 16, 32, 64 etc. However, you cannot express the numbers in between (like 3, 5, 6, 7, 9, 10, etc.) as a single CIDR. The solution is to use two or more CIDR expressions to get the number to work. For this range, 192.168.100.0/29 (32 bits less 29 bits) is 2 to the power of 3, which would represent 8 of the IP addresses; then the remaining two would be represented 192.168.100.8/31.

Editing a rule

At any time you can click the checkbox to select a specific rule and the Edit Rule button at the top of the list becomes active. Click it to open the editing pane:

The IP address(es) for the rule is shown as a CIDR number.

When your changes are ready, click the Save IP Blocking Rule button, or click Cancel to abandon the change.

Deleting rules

You can also click Delete Rule(s) next to the Edit Rule button to delete one or more rules.

Editing an exception

At any time you can display the list of exceptions by clicking the Exceptions - IP Address White List tab:

If you want to edit an exception, click its checkbox and the Edit Exception button at the top of the list becomes active:

Click it to open the editing pane.

The IP address(es) for the rule is shown as a CIDR number. You can change the rule action to Block IP Address or Warn me about IP Address, and you can modify the address or range of addresses.

When your changes are ready, click the Save IP Blocking Rule button, or click Cancel to abandon the change.

Deleting exceptions

You can also click Delete Exception(s) next to the Edit Exception button to delete one or more exceptions.