IO.Ethernet.IPFilter

<< Click to Display Table of Contents >>

 

IO.Ethernet.IPFilter

String List with a comma-separated IPv4 or IPv6 addresses, which defines from which addresses a Driver accepts or blocks connections. Users can use asterisks, such as "192.168.*.*", or intervals, such as "192.168.0.41-50", in any part of IP addresses. To block an IP address or a range of IP addresses, use the tilde ("~") character at the beginning of the address. Examples:

192.168.0.24: Accepts only connections from IPv4 address 192.168.0.24

192.168.0.41-50: Accepts connections from IPv4 addresses from 192.168.0.41 to 192.168.0.50

192.168.0.*: Accepts connections from IPv4 addresses from 192.168.0.0 to 192.168.0.255

fe80:3bf:877::*:* (expands to fe80:03bf:0877:0000:0000:0000:*:*): Accepts connections from IPv6 addresses from fe80:03bf:0877:0000:0000:0000:0000:0000 to fe80:03bf:0877:0000:0000:0000:ffff:ffff

192.168.0.10, 192.168.0.15, 192.168.0.20: Accepts connections from IPv4 addresses 192.168.0.10, 192.168.0.15, and 192.168.0.20

~192.168.0.95, 192.168.0.*: Accepts connections from IPv4 addresses from 192.168.0.0 to 192.168.0.255, except the IPv4 address 192.168.0.95

 

When a Driver receives a connection attempt, the list of filters is scanned sequentially from left to right, searching for a specific authorization or block for the IP address where the connection comes from. If no element on the list corresponds to the IP address, the authorization or block are dictated by the last element of that list:

If the last element on the list is an authorization, such as "192.168.0.24", then all IP addresses not found on the list are blocked

If the last element on the list is a block, such as "~192.168.0.24", then all IP addresses not found on the list are authorized

 

If an IP address appears on more than one filter on the list, the leftmost filter has precedence. For example, in case of "~192.168.0.95, 192.168.0.*", the IP address 192.168.0.95 fits both rules, but the rule that wins is the leftmost one, "~192.168.0.95", and therefore this IP address is blocked.

When IOKit blocks a connection, it logs a message "Blocked incoming socket connection from {IP}!".

In case of UDP connections in broadcast listen mode, where a Driver can receive packets from different IP addresses, blocks or permissions are performed at each packet received. If a packet is received from a blocked IP address, it logs a message "Blocked incoming packet from {IP} (discarding {N} bytes)!".

Was this page useful?