Filter Rules

For each client connection, Enterprise Server scans the rules specified for the endpoint, if there are any, and the rules for the communications process and server, if any. Each of the rules which match the client's IP address, or its fully qualified hostname, if there are any hostname rules, are ranked based on how well the rule matches. A rule with no wildcards and matches is an exact match and overrides any rule containing wildcards. Rules with wildcards are ranked based on how many characters the wildcard replaces; fewer replaced characters means a closer, or more exact match.

For example, if the client's IP address is 192.168.1.100, then for the following rules:

deny:**
This would match with rank 14.
allow:192.168.2.*
This would not match.
allow:192.168.1.*
This would match with rank 4.
Note: Lower rank is a closer match.
deny:192.168.1.100
This would be an exact match, or rank 0.

The result would be that the last rule would be applied to the client and the connection would be denied (blocked).

Note: The rule applied is always selected based on rank. The order of the rules that are specified in the Configuration Information field does not determine rank.

You can configure rules using Enterprise Server Administration Web interface. Specify the rules in the Configuration Information field, in any or all of the following locations:

In the Configuration Information field, add the [Connection rules] section header if it does not already exist, and then type your rules. One rule per line. Comments can be added after a hash "#" and can go to the end of the line. Blank lines are also permitted.

The rule options in the connection rules section:

[Connection rules]
action:source[:options]

where:

action
Can be allow or deny.
source
Specifies which clients the rule applies to, described below.
options
Optional - Currently the only option is log, which causes additional logging when the rule applies to a client connection.

The source has three possible forms, which can include the wildcards "*" and "**". The "*" wildcard matches zero or more characters but not the "." character; the "**" wildcard matches anything, including ".". The source forms are:

Note: Micro Focus recommends you do not create rules using DNS names. Such rules are processed using a reverse DNS (PTR record) query, and reverse DNS can be unreliable, insecure, and slow.

Mixing IPv4-address rules and CIDR-network rules may produce unexpected results. Network rules are matched against the binary representation of the IPv4 address, while address rules are matched against the decimal representation. So a network rule such as 192.168/16 is outranked by the address rule 192.**, even though the network rule is technically more specific. Try to avoid ambiguous sets of rules that mix these two forms.