Adding Blacklist or Whitelist Items to Block or Allow Traffic

After protection is enabled, CFW allows all traffic by default. You can configure the blacklist to block access requests from IP addresses or configure the whitelist to allow them. This section describes how to add a blacklist or whitelist item.

Adding Blacklist or Whitelist Items to Block or Allow Internet Border Traffic
Adding Blacklist or Whitelist Items to Block or Allow VPC Border Traffic

Blacklist and Whitelist Policy Description

The protected objects, actions, and application scenarios of blacklist and whitelist policies are as follows.

Name	Description
Protected object	5-tuples IP address groups
Network type	EIP Private IP address
Action	Blacklist: The traffic is directly blocked. Whitelist: Traffic is allowed by CFW and not checked by other functions.
Scenario	Blacklist: Block known malicious traffic. Whitelist: Allow trusted IP address traffic. CAUTION: If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring the blacklist, which may affect your services. For details about back-to-source IP addresses, see What Are Back-to-Source IP Addresses?. For details about how to configure protection rules, see Configuring Protection Rules to Block or Allow Internet Border Traffic.

Specification Limitations

CFW allows up to 2,000 blacklist items and 2,000 whitelist items.
The blacklist and whitelist are not the only way to control traffic. If you have too many IP addresses to manage, you can also create IP address groups and reference them in protection rules to allow or block their traffic.
- For details about how to add an IP address group, see Adding User-defined Address Groups.
- For details about how to add a protection rule, see Configuring Protection Rules to Block or Allow Internet Border Traffic.
To protect private IP addresses, use the professional edition firewall and enable the VPC border firewall.

Impact on the System

CFW directly allows whitelisted IP addresses and segments and blocks blacklisted ones without checking. To check the access and traffic statistics of these IP addresses, search for them by following the instructions in Querying Logs.
When configuring a blacklist, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
(Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
In the navigation pane on the left of the CFW console, choose Access Control > Internet Border Protection Rules.
Click the Blacklist or Whitelist tab.

Click Add. Set the address direction, IP address, protocol type, and port number. For details, see Table 1.

**Table 1** Blacklist and whitelist parameters on the Internet border
Parameter	Description
Direction	You can select Source or Destination. Source: the party that originates a session. Destination: the recipient of a session.
Protocol Type	Its value can be TCP, UDP, ICMP, or Any.
Port	If Protocol Type is set to TCP or UDP, set the ports to be allowed or blocked. To specify all the ports of an IP address, set Port to 1-65535. You can specify a single port. For example, to allow or block the access from port 22 of an IP address, set Port to 22. To set a port range, use a hyphen (-) between the starting and ending ports. For example, to allow or block the access from ports 80-443 of an IP address, set Port to 80-443.
IP Addresses	User-defined IP address: Enter one or more IP addresses in the text box and click Parse to add the IP addresses to the list. Pre-defined address group: Click Add Pre-defined IP Address Group. In the dialog box that is displayed, select an address group. For more information, see . CAUTION: After WAF_Back-to-Source_IP_Addresses is added to the blacklist or whitelist, if a back-to-source IP address changes, you need to manually update it in the blacklist or whitelist.
Description	(Optional) remarks of the blacklist or whitelist

Click OK.

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
(Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
In the navigation pane on the left of the CFW console, choose Access Control > VPC Border Protection Rules.
Click the Blacklist or Whitelist tab.

Click Add. Set the address direction, IP address, protocol type, and port number. For details, see Table 2.

**Table 2** VPC border blacklist/whitelist
Parameter	Description
Direction	You can select Source or Destination. Source: the party that originates a session. Destination: the recipient of a session.
Protocol Type	Its value can be TCP, UDP, ICMP, or Any.
Port	If Protocol Type is set to TCP or UDP, set the ports to be allowed or blocked. To specify all the ports of an IP address, set Port to 1-65535. You can specify a single port. For example, to allow or block the access from port 22 of an IP address, set Port to 22. To set a port range, use a hyphen (-) between the starting and ending ports. For example, to allow or block the access from ports 80-443 of an IP address, set Port to 80-443.
IP Addresses	User-defined IP address: Enter one or more IP addresses in the text box and click Parse to add the IP addresses to the list. Pre-defined address group: Click Add Pre-defined IP Address Group. In the dialog box that is displayed, select an address group. For more information, see . CAUTION: After WAF_Back-to-Source_IP_Addresses is added to the blacklist or whitelist, if a back-to-source IP address changes, you need to manually update it in the blacklist or whitelist.
Description	(Optional) remarks of the blacklist or whitelist

Click OK.

References

For details about how to edit and remove blacklist or whitelist items, see Managing the Blacklist and the Whitelist.
For details about how to add blacklist or whitelist items in batches, see Importing and Exporting Protection Policies.
For details about how to add refined access control configuration, you can configure protection rules. For details, see Configuring an Access Control Policy.
For details about how to block malicious attacks, see Attack Defense.

Parent Topic: Configuring an Access Control Policy

Previous topic: Example 4: Configuring SNAT Protection Rules

Next topic: Viewing Protection Information Using the Policy Assistant