IP blacklist and trunk allow-list
Two tools on one page (Admin → Advanced → IP Blacklist): a working list of blocked and allowed addresses, and a switch that inverts the model entirely for inbound trunk traffic.
The blacklist
Entries are IPv4/IPv6 addresses or CIDR ranges, each with an action (Deny or Allow), a description and an optional expiry (expired entries remove themselves). The list mixes:
- Manual entries — addresses you've decided about: a persistent attacker denied permanently, or a branch office allowed so abuse control can never false-positive it.
- Auto entries — abuse control's bans, filterable separately, individually or bulk unblockable.
Allow beats deny for your own entries, which is what makes "allow the branch, then be aggressive with auto-bans" a safe posture.
The trunk allow-list
Restrict inbound SIP to trunk allow-list flips the external SIP profile from "accept anything, filter the bad" to deny-by-default: only your carriers' listed IPs may deliver calls at all. Scanner traffic stops reaching the SIP stack entirely — the strongest single inbound control available.
Before enabling it:
- List every carrier first. A carrier missing from the list = their calls silently drop. Provider templates that know their IPs (VoIP Innovations) pre-populate their entries; add the rest manually from your providers' documentation.
- It only fits when all inbound comes from known-IP carriers — a registering trunk from a provider with floating media IPs, or direct SIP from customer equipment, rules it out.
- Toggling briefly interrupts trunk calls, so flip it in a quiet moment and place a test call in immediately from a mobile.
Console restrictions
The same deny-by-default idea for the web console lives at Admin → Advanced → Console Restrictions: admin console access limited to specific addresses, with private LAN ranges built-in so the office can't lock itself out. Your current IP is displayed before you commit — check it if you administer remotely.