The Teradata Vantage gateway processes the primary filter element first and defines the rule the filter uses to evaluate incoming IP addresses. The primary element specifies a range of IP addresses.
- In a restrictive filter, the allow element is the primary. Suppose the allow element allows the following range of IP addresses:
<allow ip=”192.0.2.0/
Note that the allow element contains a zero for the last segment rather than specifying each allowed address within the subnet.
If you specify this value for the element, it indicates that the filter allows any IP address in the 192.0.0.0 subnet, possibly a department within a large company.
- A user attempts to access the database from the incoming IP address:
192.0.2.10
- The allow element includes the following mask, which it uses to test an incoming IP:
255.255.255.0”/>
The allow element mask has a zero in the fourth segment, so it tests only the first three segments of any incoming IP address. Since the first three segments of the mask have values of 255, the corresponding segments of the allow element and incoming IP address must match exactly to allow the logon. The first three segments match, the logon succeeds.
The allow element achieves the same restriction capability if you express the mask as 24.
Filtering is not complete at this point if the filter also contains a deny element, which the gateway must also consider.