Access rule examples and caveats
|
Examples of IP address rules |
|
|---|---|
| Office-only access | A contractor has been hired to work in the office, and only in the office. Office workstations have IP addresses in the range of 192.0.2.0 - 192.0.2.24. The related Serv-U File Server access rule should be Allow 192.0.2.0-24, and it should be added to either the user account of the contractor or a Contractors group that contains multiple contractors. No deny rule is required because Serv-U File Server provides an implicit Deny All rule at the end of the list. |
| Prohibited computers |
Users should normally be able to access Serv-U File Server from anywhere, except from a bank of special internal computers in the IP address range of 192.0.2.0 - 192.0.2.24. The related Serv-U File Server access rules should be Deny 192.0.2.0-24, followed by Allow *.*.*.*, and these rules should be added to either the domain or the server IP access rules. |
| DNS-based access control |
The only users allowed to access a Serv-U File Server domain connect from *.example.com or *.example1.com. The related Serv-U File Server access rules should be Allow *.example.com and Allow *.example1.com in any order, and these rules should be added to the domain IP access rules. No deny rule is required because Serv-U File Server provides an implicit Deny All rule at the end of the list. |
|
Specific IP caveats |
|
|---|---|
| Implicit deny all |
Until you add the first IP access rule, connections from any IP address are accepted. After you add an IP access rule, all connections that are not explicitly allowed are denied. This is also known as an implicit Deny All rule. Make sure you add a Wildcard Allow rule (such as Allow *.*.*.*) at the end of your IP access rule list. |
| Matching all addresses |
Use the *.*.*.* mask to match any IPv4 address. Use the *:* mask to match any IPv6 address. If you use both IPv4 and IPv6 listeners, add Allow ranges for both IPv4 and IPv6 addresses. |
| DNS lookup |
If you use a dynamic DNS service, you can specify a domain name instead of an IP address to allow access to users who do not have a static IP address. You can also specify reverse DNS names. If you create a rule based on a domain name or reverse DNS, Serv-U File Server performs either a reverse DNS lookup or DNS resolution to apply these rules. This can cause a slight delay during login, depending on the speed of the DNS server of the system. |
| Rule use during connection |
The level at which you specify an IP access rule also defines how far a connection is allowed before it is rejected. Server and domain level IP access rules are applied before the welcome message is sent. Domain level IP access rules are also applied when responding to the HOST command to connect to a virtual domain. Group and user level IP access rules are applied in response to a USER command when the client identifies itself to the server. |
| Anti-hammering |
Specific IP addresses in Allow rules are not blocked by anti-hammering. These IP addresses are white-listed. Addresses matched by a wildcard or a range are subject to anti-hammering prevention. You can set up an anti-hammering policy that blocks clients who connect and fail to authenticate more than a specified number of times within a specified period of time. Anti-hammering policies are set up server-wide in Limits and Settings > Settings. IP addresses blocked by anti-hammering rules appear in the domain IP access rules with a value in the Expires in column. If you have multiple domains with different listeners, blocked IP addresses appear in the domain that contains the listener. Blocked IP addresses do not appear in the server IP access list, even if anti-hammering is configured at the server level. |