There are several places where IP address rules are entered. For example, Serv-U security features determine if the server will allow or deny access based on the IP address of the client. When defining these rules, there are special characters that define masks that apply to groups of IP addresses.
There are three special characters: the star '*', question mark '?', and the hyphen '-'. These wildcards function as follows:
A star functions as a wildcard for checking the IP address. Any name or number will match that section of the rule if it is a star.
For example, say all IP-numbers in a company look like 134.56.34.xxx with 'xxx' being any number. To restrict access to the FTP server to other members of the company only, create an 'allow' rule that looks like this:
Allow: 134.56.34.*
Likewise, if unwanted users have IP-numbers in the range 168.76.xxx.xxx, they can be restricted from a server with a 'deny' rule, such as:
Deny: 168.76.*.*
Allow: *.*.*.*
The 'allow' rule at the end is to allow all people in who passed the first 'deny' rule. Without it no one would be allowed access to the server. Remember, whenever there is even a single access rule users will only be allowed into the server if they qualify for an 'allow' rule.
IP-names may also be used in access rules. IP-name rules work in a similar fashion as IP-numbers. For example, to keep all users from a particular university out of the server, set up the following two rules:
Deny: *.universityx.edu
Allow: *.*.*.*
The hyphen is used to denote a range of numbers, so that can only be used for IP-numbers. Simply separate the starting and ending values by a hyphen.
For example, assume that users that need access have IP-numbers 134.56.34.128, 134.56.34.129 and 134.56.34.130. Three 'allow' rules could be defined, each with one of these numbers. However, a faster way to do this is to make a single allow' rule like this:
Allow: 134.56.34.128-130
The special characters '*' and '-' don't need to be at the end of the IP-numbers, any place will do. The rule 221.*.76-154.89 is perfectly OK.
The question mark is for IP-names only, to match any single character.
There is one more side effect of IP-name rules. When Serv-U starts, it does not know if there are any IP access rules that need an IP-name lookup, and searching all possible rules is prohibitive. Doing a reverse IP-name lookup is computationally slow and can take any amount of time (Serv-U has a hard-coded limit of one minute for this), during which the FTP client has to wait until the lookup is done. So, by default it does not do reverse-DNS lookups to determine the IP-name of the FTP clients that connect to the server. This means the first time an IP access rule is encountered that needs an IP-name, the user will be bounced (since no name is available at that point). However, once this happens the server switches strategies and does an IP-name lookup every time a user connects.