Adding Blacklist or Whitelist Items to Block or Allow Traffic
After protection is enabled, CFW allows all traffic by default. You can configure the blacklist to block access requests from IP addresses or configure the whitelist to allow them.
This topic describes how to add a single blacklist or whitelist item. For details about how to add items in batches, see Importing and Exporting Protection Policies.
- For details about back-to-source IP addresses, see What Are Back-to-Source IP Addresses?.
- For details about how to configure protection rules, see Adding Protection Rules to Block or Allow Traffic.
Specification Limitations
- CFW supports up to 2,000 blacklist items and 2,000 whitelist items. If there are too many IP addresses to be specified, you can put them in an IP address group and select the IP address group when configuring protection rules.
- For details about how to add an IP address group, see Adding User-defined IP Addresses and Address Groups.
- For details about how to add a protection rule, see Adding Protection Rules to Block or Allow Traffic.
- To protect private IP addresses, use the professional edition firewall and enable VPC border firewall protection.
Impact on the System
- CFW directly allows whitelisted IP addresses and segments and blocks blacklisted ones without checking. To check the access and traffic statistics of these IP addresses, search for them by following the instructions in Querying Logs.
- When configuring a blacklist, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.
Adding Blacklist or Whitelist Items to Block or Allow Traffic
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - In the navigation pane on the left, click
and choose . The Dashboard page will be displayed. - (Optional) Switch to another firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose . Click the tab of a protected object, and then click the Blacklist or Whitelist tab.
- Click Add. Set the address direction, IP address, protocol type, and port number. For details, see Table 1.
Table 1 Blacklist and whitelist parameters Parameter
Description
Direction
You can select Source or Destination.
- Source: the party that originates a session.
- Destination: the recipient of a session.
Protocol Type
Its value can be TCP, UDP, ICMP, or Any.
Port
If Protocol Type is set to TCP or UDP, set the ports to be allowed or blocked.
NOTE:- To specify all the ports of an IP address, set Port to 1-65535.
- You can specify a single port. For example, to allow or block the access from port 22 of an IP address, set Port to 22.
- To set a port range, use a hyphen (-) between the starting and ending ports. For example, to allow or block the access from ports 80-443 of an IP address, set Port to 80-443.
Description
Description of the blacklist or whitelist
IP Addresses
- User-defined IP address: Enter one or more IP addresses in the text box and click Parse to add the IP addresses to the list.
- Pre-defined address group: Click Add Pre-defined IP Address Group. In the dialog box that is displayed, select an address group. For more information, see Viewing a Predefined Address Group.
CAUTION:
After WAF_Back-to-Source_IP_Addresses is added to the blacklist or whitelist, if a back-to-source IP address changes, you need to manually update it in the blacklist or whitelist.
- Click OK.
Related Operations
- For details about how to edit and remove blacklist or whitelist items, see Managing the Blacklist and the Whitelist.
- For details about how to add blacklist or whitelist items in batches, see Importing and Exporting Protection Policies.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
