Setting Up Access Control Lists (ACL)

Use

You can set up an access control list (ACL, “access control list”) and use it to control which ICM connections are accepted and which are not. They are based on the IP addresses of the clients. A separate ACL file can be used for each port on the ICM.

Procedure

Create an ACL file for the relevant port using the syntax described below.
In the ICM profile set option ACLFILE of parameter icm/server_port_<xx> to the file path of the ACL file.

Caution

If option ACLFILE is set, the file must exist and its syntax be correct. If not, the ICM immediately stops.

If you attempt assign or reload an erroneous ACL file to an existing service, the new file is ignored, and an existing ACL file remains active.

Syntax of the ACL File

Lines in the ACL must have the following syntax:

<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]

Where,

permit = permits a connection, and deny = denies a connection.
<ip address>: The IP address must be an IPv4 or IPv6 address in the following form:
- IPv4: 4 byte, decimal, '.' separated: e.g. 10.11.12.13
- IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported
<mask>: If a mask is specified, it must be a subnetwork prefix mask:
- IPv4: 0-32
- IPv6: 0-128
<trace level>: Trace level, with which ACL hits (matches of addresses based on the subnetwork mask) are written to the relevant trace file (default value 2).
<# comment>: Comment lines begin with a hash sign ( #).
The file can contain blank lines.

The rules are checked sequentially from the “top down”. The first relevant rule determines the result ( “first match”). If no rule applies, the connection is rejected. To make it obvious, an explicit deny (deny 0.0.0.0/0) should be entered anyway as the last rule.