Configuring Network-Based Access Control Lists (ACL)

You can set up an access control list (ACL) and use it to control which connections the SAP gateway accepts and which it does not. They are based on the IP addresses of the clients. The same ACL file is used for the “standard” port and for the “SNC” port of the SAP gateway.

Procedure

Create an ACL file using the syntax described below.
In the instance profile of the SAP gateway instance you set parameter gw/acl_file to the file path of the ACL file.

Caution
If this parameter is not set, the SAP ateway accepts all connection requests.

End of the caution.

Syntax of the ACL file:

Lines in the ACL must have the following syntax:

Syntax Syntax

<permit | deny> <ip-address[/mask]> [tracelevel] [# comment]

End of the code.

Where,

permit = permits a connection, and deny = denies a connection.
<ip address>: The IP address must be an IPv4 or IPv6 address in the following form:
- IPv4: 4 byte, decimal, '.' separated: e.g. 10.11.12.13
- IPv6: 16 byte, hexadecimal, ':' separated. '::' is supported
<mask>: If a mask is specified, it must be a subnetwork prefix mask:
- IPv4: 0-32
- IPv6: 0-128
<trace level>: Trace level, with which ACL hits (matches of addresses based on the subnetwork mask) are written to the relevant trace file (default value 2).
<# comment>: Comment lines begin with a hash sign (#).
The file can contain blank lines.

The rules are checked sequentially from the “top down”. The first relevant rule determines the result (“first match”). If no rule applies, the connection is rejected. To make it obvious, an explicit deny (deny 0.0.0.0/0) should be entered anyway as the last rule.

Example Example

Example of a file
`permit 10.1.2.0/24 # permit client network` `permit 192.168.7.0/24 # permit server network` `permit 10.0.0.0/8 1 # screening rule` `# (learning mode, trace-level 1)` `permit 2001:db8::1428:57ab # permit IPv6 host` `deny 0.0.0.0/0 # deny the rest`

End of the example.