CETAN Documentation

IPFilter

The CETAN Web Application Server includes a built‑in IP filtering system that allows you to control access based on client IP addresses or ranges. IPFilter operates in either blacklist or whitelist mode and is configured using a dedicated file referenced from cetan_config.xml.

Enabling IPFilter

To enable IP filtering, add the <ip_filter> directive to your server configuration:

<ip_filter>blacklist.conf</ip_filter>

You may choose any filename. The file must be placed in the CETAN_SERVER/security directory.

Configuration file structure

The IPFilter configuration file defines the filter mode and the list of IP addresses or ranges to allow or block.

Example configuration file:

    mode = 1;  # blacklist mode (required)
    1.2.3.4 = 1;  # drop a single IP
    4.5.6.7 - 4.5.6.254 = 1;  # drop a range of IPs
  

If mode is not defined, CETAN defaults to blacklist mode.

Modes

• mode = 1 — Blacklist
  Clients matching listed IPs or ranges are blocked. All others are allowed.
• mode = 2 — Whitelist
  Only listed IPs or ranges are allowed. All others are blocked.

IP entries and action codes

Each entry in the configuration file maps an IP address or range to an action code:

1.2.3.4 = 1;

• 1 = drop — deny access for the specified IP or range
• 2 = allow — permit access for the specified IP or range

Supported formats:

• Single IP address: 203.0.113.5 = 1;
• IP range: 10.0.0.1 - 10.0.0.254 = 1;

Example configurations

Blacklist mode

    mode = 1;
    203.0.113.5 = 1;
    198.51.100.0 - 198.51.100.255 = 1;
  

Whitelist mode

    mode = 2;
    192.168.1.10 = 2;
    10.0.0.0 - 10.0.0.255 = 2;
  

Restart required

After modifying the IPFilter configuration file or updating the <ip_filter> directive, restart the CETAN server for changes to take effect.

IPFilter is evaluated early in the request pipeline. Clients blocked by IPFilter cannot reach authentication or application handlers.