Allow external access to webserver from set IP(s) only

Hi all. So just at the very beginning of my journey with UTM and learning more by the minute. However, I'm a bit stumped when it comes to webserver access.

I've set up my real and virtual webservers. All work fine except I want to limit access to them from a set of IP's only. I've tried adding in firewall rules to block https etc but these rules seem to be ignored by webservers. I'm obviously missing something glaringly obvious so if someone could point me in the right direction I'd be most obliged. Many thanks.

  • Yes, you can restrict by user, by IP address, or both.

    To restrict by source IP

    Site Path Routing...  Edit one of the paths... 

    Check the box for "Access Control".   Two list boxes will appear, one for Allowed Networks and one for Denied Networks.   Define your Allowed Networks and click [Save]

    This allows you to have different restrictions for different parts of the website, but it also means that you need to configure each applicable Site Path Route.

    To restrict by user

    Define a Reverse Protection rule and apply it to the Site Path Route(s).


    On architecture, you have experienced the normal new-user surprise.  UTM is a series of mutually-exclusive packet filters.   "Firewall Rules" is the packet filter of last resort, which is invoked only when the packet bypasses all of the more sophisticated filtering tools.  UTM is also not directional.   It only knows "inside" and "outside" based on the rules that you create.  The WiKi section has several articles that address information needed by new users, but which is not in the manuals.   Also look for the post titled "Rulz", which has important information, including the hierarchy of events in packet processing.

    UTM takes a different kind of thinking than with other firewalls, but it works after you understand the architecture.


  • In reply to DouglasFoster:

    Thanks so much Douglas. I was actually in the process of replying to my own post saying I should have read the Rulz because that explained the stacking order for filtering of which firewall rules are last after proxies hah!

    I was setting up a DNAT to a blackhole then bypassing that for allowed IPs when you replied which made me grin as I would have taken forever to find that little checkbox on the site path route tab. Thanks again for saving me considerable time and explaining it to me :).