Syntax of the ACL File
Lines in the ACL file (access control list) must have the followingsyntax:
<(><<)>permit|deny> <(><<)>ip-address[/mask]> [tracelevel] [# comment]
- permit permits a connection, and deny denies a connection.
- <(><<)>IP address>. The IP address must be an IPv4 or IPv6 address inthe following form:
IPv4: 4 byte, decimal, '.' separated: e.g. 10.11.12.13
IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported
- <(><<)>mask> If a mask is specified, it must be a subnetwork prefixmask:
- <(><<)>tracelevel> Trace level, with which ACL hits (matches ofaddresses based on the subnetwork mask) are written to the relevanttrace file (default value 2).
- <(><<)># comment> Comment lines begin with a hash sign "#".
- The file can contain blank lines.
- As the last rule a general ban is inserted automatically. To make itobvious, an explicit "deny" should be entered anyway as the last rule.
- The rules are checked sequentially from the top down.
- The first relevant rule determines the result ("first match").
Example of a file
permit 10.1.2.0/24 # permit client network
permit 192.168.7.0/24 # permit server network
permit 10.0.0.0/8 1 # screening rule
# (learning mode, trace level 1)
permit 2001:db8::1428:57ab # permit IPv6 host
deny 0.0.0.0/0 # deny the rest