IP filters often contain both an allow and deny elements, although use of both elements is not required. The first element in the filter specifies the range of IP addresses to which the IP filter applies. The second element defines exceptions within that range to which the filter does not apply. The filter type determines which element is the primary and which is the exception.
Consider the differences in function of the allow and deny elements between the restrictive filter in Example: IP Filter, and the following permissive filter:
<allow ip="192.0.2.200/255.255.0.0"/> <deny ip="192.0.2.216/255.255.255.0"/>
The following table compares element function within the two filter environments.
|Restrictive||allow||Allows access to the specified IP address or address range.
The true range depends on both the IP address and the mask.
|deny||Defines an exception to the address range specified in the allow element. This exception denies access to a specified IP address or address range that is a subset of the allowed address range.|
|Permissive||deny||Denies access to the specified IP address or range of addresses.|
|allow||Defines an exception to the address range specified in the deny element. This exception allows access to a specified IP address or address range that is a subset of the denied address or address range.|