APC NBRK0570 User Manual

posted to a monitoring StruxureWare Data Center Expert server.

The IP filter has four behaviors when dealing with incoming network packets:

•  If there are no filter entries, all packets are accepted by the appliance.

•  If there are filter entries, those filter entries are evaluated in order from first to last as they appear 

in the entry list.

•  If a filter matches the corresponding packet data, the network packet is either accepted or rejected 

by the appliance based on that rule. 

•  If no filter is matched, the network packet is accepted. If this is not the desired behavior, a 

"catch-all" filter must be placed at the end of the list, which will block all undesired IP addresses. 

As soon as the IP Filter finds a filter that applies to the network packet, it stops evaluating filters and 
applies the behavior (accept or reject) specified by the current filter entry. Therefore, a rule rejecting all 
IP addresses must be placed at the end of the list. 

Since rules are applied from top-to-bottom, any rules listed after the all-IP filter are ignored. For 
example, you cannot deny access to all IP addresses, then open up exceptions later in the list. Only the 
first rule that applies to the IP address is resolved.

An IP address can contain the CIDR bit-mask syntax for address segments that are specified as "0", for 
example:

192.168.0.0/16 means all segments and nodes on 192.168. 

192.168.0.0/24 means all nodes on 192.168.0.

192.168.0.0/32 means the specific node at 192.168.0.0, and is the same as not specifying a CIDR 
bit-mask. 

Note: To specify all IP addresses, use the syntax "Exclude 0.0.0.0/32".