16.10 - Example: Permissive Filter - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)
<ipfilter name="filter2" type="permissive">
      <deny ip="141.206.35.0/255.255.255.0"/>
      <allow ip="141.206.35.175/255.255.255.255"/>
      <appliesto tagref="samoht"/>
      <appliesto tagref="noside"/>
</ipfilter>

where:

Term Description
ipfilter name="filter2" The filter name. Uniquely identifies the filter.
type="permissive" The filter type.

This term identifies whether the filter is permissive or restrictive and indicates the order of IP testing (deny and allow) that it can perform on an incoming IP address.

<deny ip="141.206.35.0/255.255.255.0"/> The deny element appears first in a permissive filter.

The deny element is divided into two segments, separated by a slash (/):

  • The filter: <deny ip="141.206.35.0/

    Denies access to the database from any IP address within the 141.206.35 subnet, unless the allow element explicitly allows the address. The filter allows access to all IPs not covered in the deny element.

  • The mask: 255.255.255.0”/>

    Determines the extent to which the filter tests an incoming IP address against restrictions defined in the deny element. A mask of 255.255.255.0”/> is equivalent to a mask of 24”/> . It tests the first 24 bits (all but the last decimal segment) of the IP address.

You can use the deny element in a permissive filter to specify a higher network tree level than what you specify in the allow element.
<allow ip="141.206.35.175 /255.255.255.255"/> The allow element must appear after the deny element in a permissive filter.

The allow element is divided into two segments, separated by a / :

  • The filter: <allow ip="141.206.35.175/

    Explicitly allows the 141.206.35.175 IP address access to the database, even though it is within the subnet denied access by the deny element. The filter denies access to any other IP addresses that appear in the deny element.

  • The mask: 255.255.255.255"/>

    Determines the extent to which the filter tests an incoming IP address against restrictions defined in the allow element. A mask of 255.255.255.255 tests all the decimal segments of the IP address for an exact match.

You can use the allow element in a permissive filter to specify a lower level in the network tree than what you use for the deny element, to allow exceptions to the IPs that the filter explicitly denies. If necessary, you can use multiple allow elements to define the exceptions.
appliesto tagref="samoht" Identifies a user affected by this set of filter rules.

Each appliesto tagref value must correspond to a tag attribute for an individual Teradata Database user listed in a user element of the XML IP restriction document.

appliesto tagref="noside" Identifies a second user affected by this set of filter rules.