Allow from only specific IPs

Okay so I have a site I want to only be accessed from two specific IPs and to block every other IP. The issue is I can do that with a single IP, but if I add the second one in a firewall rule as an “or” it still does not allow the second one. This makes no sense to me. What am I doing wrong. This should process this as a single rule is my understanding, not look at them as one then the other?

Is there a way I can do this?

You need an AND instead of an OR here - that should work for you.

To explain further, if you read the rule out aloud you can better understand what is happening, what you have configured is:

If the IP is not 2.2.2.2 OR is not 1.1.1.1.1 then block

So… if the IP is 2.2.2.2 what happens? Well… it fails the first test:

If the IP is not 2.2.2.2

So all good so far. But then run 2.2.2.2 into the second test:

OR is not 1.1.1.1.1 then block

Well, 2.2.2.2 is not 1.1.1.1 so you will block it.

This is a common pitfall with “does not equal” logic and an easy mistake to make. Change that OR to an AND and you should get the behaviour you’re looking for.

2 Likes

Thank you so much Simon, yeah the negatives threw me. I also found a workaround just before you posted this response using not in list, and created a whitelist of IPs.

But greatly appreciated pointing that error out!

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.