Docs navigation

IP blacklist and trunk allow-list

Two tools on one page (Admin → Advanced → IP Blacklist): a working list of blocked and allowed addresses, and a switch that inverts the model entirely for inbound trunk traffic.

The blacklist

Entries are IPv4/IPv6 addresses or CIDR ranges, each with an action (Deny or Allow), a description and an optional expiry (expired entries remove themselves). The list mixes:

  • Manual entries — addresses you've decided about: a persistent attacker denied permanently, or a branch office allowed so abuse control can never false-positive it.
  • Auto entries — abuse control's bans, filterable separately, individually or bulk unblockable.

Allow beats deny for your own entries, which is what makes "allow the branch, then be aggressive with auto-bans" a safe posture.

The trunk allow-list

Restrict inbound SIP to trunk allow-list flips the external SIP profile from "accept anything, filter the bad" to deny-by-default: only your carriers' listed IPs may deliver calls at all. Scanner traffic stops reaching the SIP stack entirely — the strongest single inbound control available.

Before enabling it:

  • List every carrier first. A carrier missing from the list = their calls silently drop. Provider templates that know their IPs (VoIP Innovations) pre-populate their entries; add the rest manually from your providers' documentation.
  • It only fits when all inbound comes from known-IP carriers — a registering trunk from a provider with floating media IPs, or direct SIP from customer equipment, rules it out.
  • Toggling briefly interrupts trunk calls, so flip it in a quiet moment and place a test call in immediately from a mobile.

Console restrictions

The same deny-by-default idea for the web console lives at Admin → Advanced → Console Restrictions: admin console access limited to specific addresses, with private LAN ranges built-in so the office can't lock itself out. Your current IP is displayed before you commit — check it if you administer remotely.