DENYIP
Use this parameter to specify which remote IP addresses are to be forbidden to establish sessions ("black list").
Parameter Syntax
DENYIP [direction]range
Arguments
direction
Optional character specifying realm on which rules shall be applied
o
A = Apply rules on incoming connections only
C = Apply rules on outgoing connections only
o
B = Apply rules on all connections only (*default*)
o
range
One or more Classless Interdomain Routing (CIDR) format entries specifying an IP subnet or a single host IP
address. Entries have to be separated by comma. The network suffix can be left out for host entries (/32 or /128 will
be assumed then). IPv6/DUAL entries have to be specified in square brackets. Entry types and the corresponding
CIDR format:
IPv4 address: 10.1.2.196 ( /32 is assumed)
o
IPv4 subnet : 10.2.0.0/16
o
IPv6 address: [abcd:1111::ab00] ( /128 is assumed)
o
IPv6 subnet : [abcd::ef00/120]
o
DUAL address: [::ffff:172.0.0.28] ( /128 is assumed)
o
DUAL subnet : [::ffff:172.1.1.0/104]
o
Considerations
•
See section
"Limiting Remote IP
•
The parameter can be changed at run time using SSLCOM, please see chapter
for details.
•
Backwards compatibility to the former syntax is preserved, however in the mid-term ALLOWIP and DENYIP
should be changed to using CIDR format.
Default
If omitted, HP NonStop SSL will use an empty entry, respectively *DEFAULT* to not forbid any remote IP addresses.
Example
DENYIP 10.0.1.0/24, 10.0.2.0/24, 172.22.22.42
DENYIP A[abcd::ef00/120] ,
HP NonStop SSL Reference Manual
Addresses" (in chapter "Introduction") for the concept of remote IP filtering
[abcd:1111::ab00] , [::ffff:172.1.1.0/104]
"SSLCOM Command
Interface"
Configuration • 53