Definition

Lines in the ACL file (access control list) must have the following syntax:

<permit | deny> <IP address[/mask]> [trace level] [# comment]

Where,

• permit = permits a connection, and deny = denies a connection.
• <IP address>. The IP address must be an IPv4 or IPv6 address in the following form:

  IPv4: 4 byte, decimal, '.' separated: e.g. 10.11.12.13

  IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported

• <mask> If a mask is specified, it must be a subnetwork prefix mask:

  IPv4: 0-32

  IPv6: 0-128

• <trace level>. Trace level, with which ACL hits (matches of addresses based on the subnetwork mask) are written to the relevant trace file (default value 2).
• <# comment> Comment lines begin with a hash sign "#".
• The file can contain blank lines.
• As the last rule a general ban is inserted automatically.

To make it obvious, an explicit "deny" should be entered anyway as the last rule. The rules are checked sequentially from the top down. The first relevant rule determines the result ("first match").

Example of a file

permit 10.1.2.0/24 # permit client network
permit 192.168.7.0/24 # permit server network
permit 10.0.0.0/8 1 # screening rule
# (learning mode, trace level 1)
permit 2001:db8::1428:57ab # permit IPv6 host
deny 0.0.0.0/0 # deny the rest