GitHub ↗

Blacklist & Whitelist

Blacklist

IPs and CIDRs on the blacklist are always blocked, regardless of any open port rules or protection modules.

Traffic from blacklisted addresses is dropped immediately before reaching any port rule, whitelist entry, or protection chain. Optionally, blocked traffic can be logged with the prefix easywall blacklist: (see Configuration).

Supported formats:

192.168.1.100          # single IPv4 address
10.0.0.0/8             # IPv4 CIDR range
2001:db8::/32          # IPv6 CIDR range

When to Use the Blacklist

  • Block a specific IP address that is scanning or attacking your server
  • Block entire country-level or ISP-level ranges you never expect traffic from
  • Block Tor exit nodes or known botnet CIDRs
  • Block IPs that repeatedly fail authentication
Tip

For broad blocking (e.g., entire countries), use the largest CIDR that covers the range. A single /16 entry is more efficient than 256 individual /24 entries.

Whitelist

IPs and CIDRs on the whitelist are always allowed, bypassing all port rules, the blacklist, and all protection modules.

Use this for trusted management addresses to ensure you are never locked out, even if you accidentally close the SSH port or trigger a rate-limit rule.

Supported formats (same as blacklist):

203.0.113.42           # your static public IP
10.0.0.0/24            # your internal management network
2001:db8::1            # IPv6 management address

When to Use the Whitelist

  • Your own static public IP address for administration
  • Office or VPN subnet for team access
  • Monitoring system IP (Nagios, Zabbix, Datadog agent)
  • Internal network ranges that need unrestricted access
Warning

Whitelisted IPs bypass all firewall rules — including the blacklist, SSH brute-force protection, and connection limits. Only add addresses you fully trust and control.

Rule Ordering

easywall evaluates rules in a fixed order. Understanding this order helps predict behaviour when multiple rules could match a packet:

1. Loopback (lo) — always ACCEPT
2. RELATED / ESTABLISHED — always ACCEPT
3. ICMP (v4 + v6 base types) — always ACCEPT
4. Optional protection chains (SYN flood, port scan, …)
5. Docker bridge networks (if Docker mode enabled)
6. Blacklist — DROP matching source IPs
7. Whitelist — ACCEPT matching source IPs
8. Open ports (TCP / UDP rules)
9. Final log rule (if log_blocked_connections = true)
10. Default DROP (everything else)

A packet blocked at step 6 (blacklist) never reaches the open port rules at step 8 — even if the destination port is in the port list.

A packet matching the whitelist at step 7 is accepted immediately and skips the port rules entirely. This means a whitelisted IP can reach any port, including closed ones.

Applying Changes

All blacklist and whitelist changes are staged. They do not affect the running firewall until you visit Apply and confirm the changes within the acceptance window. If you do not confirm, the old rules are automatically restored.

Troubleshooting

My IP is still being blocked after removing it from the blacklist

Staged changes are not active yet — go to Apply and confirm.

I accidentally whitelisted a range that is too broad

Remove the entry, save, then Apply with the two-step confirmation. If you locked yourself out before applying, the auto-rollback will restore the previous rules after the acceptance timeout.

I cannot find the right CIDR for a range

Use an online CIDR calculator, or check the BGP prefix for the IP with a tool like:

whois 198.51.100.42 | grep route