Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

Use the acl command to restrict users' access to NetMRI to a list of IP addresses or subnets, thereby reducing the likelihood of unauthorized access. By default, the appliance accepts user connections via HTTP (port 80), HTTPS (port 443), SSH (port 22), and SYSLOG (port 514). If an access control list is defined, any or all of these ports can be restricted to a specific list of IP addresses.

Syntax

The following subcommands are supported by the acl command:

  • list lists all ACL entries.
  • flush clears all ACL entries (no access restrictions).
  • accept accepts connections from a given CIDR block.
  • reject rejects connections from a given CIDR block.
  • commit saves the ACL and makes it active.

The accept, delete, and reject commands accept the following arguments:

accept <CIDR> 22|69|80|443|514|ssh|tftp|http|https|syslog|all

reject <CIDR> 22|69|80|443|514|ssh|tftp|http|https|syslog|all

delete <CIDR> 22|69|80|443|514|ssh|tftp|http|https|syslog

where <CIDR> is formatted as A.B.C.D/NN or <IPv6 Address>/<Prefix>.

For example, the following commands:

flush

accept 192.168.12.0/24

all commit

would allow connections from any host in the specified subnet to any of the access ports supported by NetMRI. If you'd like to exclude specific hosts from a range of addresses, you should use one or more reject commands before the accept command as in the following example:

flushreject 192.168.12.66/32 all

reject 192.168.12.99/32 all

accept 192.168.12.0/24 all commit

If at least one ACL entry is defined, all access attempts other than those specifically listed are rejected; if no ACL entries are defined, all access attempts are accepted.
Typing acl ? at the prompt provides a brief list of all options:

rgrace64-212.inca.infoblox.com> acl ?
ACL Commands
------------
?- display this list

commit - save working ACLs and make active

exit - exit ACL mode

flush - clear all working ACL entries

list - list all working ACL entries

reload - clear working entries and reload from disk

The following commands add or remove entries to the ACL to either allow or reject access from given CIDRs. The order of ACL entries is important, with the first matching
rule from top to bottom used to determine if a given host can access the system.

accept <CIDR> 22|69|80|443|514|ssh|tftp|http|https|syslog|all
reject <CIDR> 22|69|80|443|514|ssh|tftp|http|https|syslog|all
delete <CIDR> 22|69|80|443|514|ssh|tftp|http|https|syslog

where <CIDR> is formatted as A.B.C.D/NN or <IPv6 Address>/<Prefix>

Use "0.0.0.0/0" CIDR to refer to all IPv4 sources, or "::/0" CIDR for all IPv6 sources. The ACL list must be committed to take effect.

  • No labels