Help Center> Cloud Firewall> User Guide> Managing ACL Rules> Managing the Blacklist and the Whitelist> Adding an Item to the Blacklist or Whitelist
Updated on 2024-01-12 GMT+08:00
View PDF

Adding an Item to the Blacklist or Whitelist

After EIP protection is enabled, all access is allowed by default. You can configure blacklist or whitelist rules to block or allow access requests from specific IP addresses.

If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring the blacklist, which may affect your services.

Specification Limitations

The CFW blacklist and whitelist each allows up to 2000 items. If there are too many IP addresses to be specified, you can put them in an IP address group dedicated to the blacklist or whitelist. For more information, see Adding Custom IP Address Groups.

Impact on the System

CFW directly allows whitelisted IP addresses and segments and blocks blacklisted ones without checking. To check the access and traffic statistics of these IP addresses, search for them by following the instructions in Querying Logs.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.

    Figure 1 CFW Dashboard

  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Access Control > Access Policies. Click the Blacklist or Whitelist tab.
  6. Click Add. Set the address direction, IP address, protocol type, and port number. For details, see Table 1.

    Table 1 Blacklist and whitelist parameters

    Parameter

    Description

    Direction

    You can select Source or Destination.

    • Source: The IP address or IP address group that sends data packets.
    • Destination: The destination IP address or IP address group that receives data packets.

    IP Address

    You can configure a single IP address, consecutive IP addresses, or an IP address segment.

    Protocol Type

    Its value can be TCP, UDP, ICMP, or Any.

    Port

    If Protocol Type is set to TCP or UDP, set the ports to be allowed or blocked.

    NOTE:
    • To specify all the ports of an IP address, set Port to 1-65535.
    • You can specify a single port. For example, to allow or block the access from port 22 of an IP address, set Port to 22.
    • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to allow or block the access from ports 80-443 of an IP address, set Port to 80-443.

    Description

    Description of the blacklist or whitelist

  7. Click OK.