Message Filter -Remote IP

Jessi Patterson · ‎03-28-2024

I am looking at the following example in the admin guide:

The remote-ip rule tests to see if the IP address of the host that sent that message matches a certain pattern.
The IP address can be either Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6). The IP
address pattern is specified using the allowed hosts notation described in “Sender Group Syntax”, except for
the SBO , IPR , dnslist notations and the special keyword ALL .
The allowed hosts notation can only identify sequences and numeric ranges of IP addresses (not hostnames).
For example, the following filter bounces any message not injected from IP addresses of form 10.1.1. x
where X is 50 , 51 , 52 , 53 , 54 , or 55 .
notMineFilter:
if (remote-ip != '10.1.1.50-55')
{
bounce();
}

Does anyone know if it is possible to use an IP in this type of filter that contains CIDR notation? (ie: 123.45.0.0/16)

Ken Stieers · ‎03-28-2024

That says you can use Sender Group Syntax except SBRS/SBO/DNSLIST and ALL...
Sender Group Syntax is here: https://www.cisco.com/c/en/us/td/docs/security/esa/esa15-0/user_guide/b_ESA_Admin_Guide_15-0/b_ESA_Admin_Guide_12_1_chapter_0110.html#con_1095249

And that does allow CIDR, so I'd say yes this rule allows CIDR
Test it, of course...

________________________________

This email is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If the reader of this email is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify us by telephone and return the original message to us at the listed email address.
Thank You.