#export policies

1 messages · Page 1 of 1 (latest)

sand reef Aug 9, 2023, 12:51 PM

I've got a one off use case where I need to deny an entire subnet range of our organization from accessing a vserver.

The downside is. That I was given about twenty other ranges that the clients could connect from.

Is there a way that I can easily for example allow 10.0.0.0/16 but deny or just "not allow" rw/ro privileges from 10.10.10.0/24?

paper finch Aug 9, 2023, 1:28 PM

Export-policy rules are processed top to bottom, first match wins. So this should work:
export-policy rule create -ruleindex 1 -rorule never -rwrule never -superuser none -clientmatch 10.10.10.0/24 export-policy rule create -ruleindex 2 -rorule any -rwrule any -superuser any -clientmatch 10.0.0.0/16