How To: Set conditions in Yottaa Firewall

This FAQ discusses the selection rules in Yottaa Firewall. For a more general overview, read our FAQ, How To: Throttle, Whitelist, and Block with Yottaa Firewall.

Rules all share the same general format. You can identify traffic by 5 different methods: HTTP Request header, request URL, Client user agent, Client IP, and Country. You can also use multiple methods in a single rule. Here's how they each work:

HTTP Request header

This is what the HTTP Request header rule interface looks like:

As you can see, you select the header type for the incoming header. This could include a Cookie, or Accept-Language, or any sort of header. If you are using a Cookie, put "Cookie" in the top box and then the second box should have CookieName=CookieValue. You can use Equals, Contains, or Matches Regular Expression, or the counter to any of those three. Note that this only checks HTTP Request headers, not HTTP Response headers.

request URL

The request URL has a similar look to the HTTP Request header, with fewer boxes:

This is useful if a certain page on your site is being requested too often. It can also be used in concert with one of the other rules. If you don't want users from a certain country or countries to see certain pages on your site, you'd use this rule with the Country rule.

Client user agent

Here is the Client User Agent rule interface:

You can use this to throttle traffic from certain bots, assuming the bot uses the same user agent string each time. You could also use this to whitelist the site for iphone users, or block people using certain versions of Internet Explorer. There are tens of thousands of unique User Agent strings out there, so a "contains" or Regular Expressions rule is recommended instead of "equals."

Client IP

The Client IP rule is a powerful tool that lets you direct traffic. You can either include or exclude the list of IPs:

Once you've selected "in" (apply to all IPs in the list) or "not in" (apply to all IPs not on the list), you can click the "Click to add/remove ips and cidrs." You will get this screen:

There are a few options on this tool that make it particularly robust. As you can see, you can use both individual IP addresses or CIDR blocks in the list.

What's a CIDR block?

CIDR is short for "Classless Inter-Domain Routing." Basically, it allows you to specify a range of IP addresses instead of individually listing them. In IPv4, they look like a normal IP address, with a slash added onto the end. The IP address is where the range starts, and the slash tells you how far the range goes. The higher the number after the slash, the smaller the range. For example, a.b.c.d/32 would just be the IP address a.b.c.d. Here are some examples of common CIDR block slash values:

  • a.b.c.d/31: Covers the IP listed and the next one (e.g. 127.0.0.1 and 127.0.0.2)
  • a.b.c.d/30: Covers the IP listed and the next 3 (e.g. 127.0.0.1 to 127.0.0.4)
  • a.b.c.d/29: Covers the IP listed and the next 7 (e.g. 127.0.0.1 to 127.0.0.8)
  • a.b.c.d/28-25 proceed in the same way, covering a range of 16, 32, 64, and 128 IP Addresses.
  • a.b.c.0/24: Covers all IP Addresses that start a.b.c. (e.g. 127.0.0.0 to 127.0.0.255)
  • a.b.0.0/16: Covers all IP addresses that start a.b. (It's unlikely that you'll need to use this)
  • a.0.0.0/8: Covers all IP addresses that start a. (It's very unlikely that you'll need to use this)

A CIDR block is a group of IP addresses. If there is a particular group of IP addresses that you would like to block, whitelist, or throttle, this is the way to do it.

You can import a comma-separated list of IP addresses and CIDRs, such as one you might export from your previous firewall. Importing a list overwrites the current listing, so if you have some in there already, either add it to the list you're about to import or create a new rule. You can also export the list you have created in Yottaa as a .csv file.

We recommend whitelisting the Yottaa IP addresses in whatever firewall you are using, as described in this FAQ: What IP Addresses is Yottaa using to gather content from my origin server?.

Country

Creating a rule by country allows the same "in"/"not in" selection as the IP address rule:

Once you have selected whether to exclude or explicitly include the list of countries, you can click on the "Click to add/remove countries" to get this window:

To select countries, click on a country on the left and click the ">" arrow to move it over to the right. If you'd like to move the whole list, click the ">>" to add it to the selected countries list, or "<<" to clear the list.

Now that we know how to format them, we can create some rules. For more information, check out our FAQ, How To: Throttle, Whitelist, and Block with Yottaa Firewall.

Have more questions? Submit a request

Comments

Powered by Zendesk