In Cerberus FTP Server version 13.1, we are correcting how we convert a given Classless Inter-Domain Routing notation (CIDR) to the corresponding IP Address range.
CIDR use in Cerberus
Cerberus Admin Console has two places where administrators use CIDR notations to specify IP Address ranges.
i) Firewall Controls: IP Firewall Management
Adding an IP Range in IP Firewall Management
As shown above in Firewall Controls : IP Firewall Management, administrators may use CIDR notation to allow or deny access to the FTP server based on IP address. The CIDR will be converted to a contiguous range of IP addresses and added to the IP Manager list.
ii) User Manager section
IP Address Range in CIDR in User Management
In the constraints tab for a user, the CIDR is used to specify Allowed IP Addresses for that user. Please refer to Adding a New User for more details on how to use this section.
What was the issue with IP Address Range calculation
Prior to version 13.1 Cerberus FTP Server always considered the IP address which was part of a CIDR notation as the starting point of the range and IP addresses were calculated accordingly.
Wrong IP Address Range in prior to 13.1
As shown above, the IP Address range from “10.0.40.5” to “10.10.40.20” is calculated based on the CIDR “10.0.40.5/28”. The starting address above should have been 10.10.40.0 and the range should have been 10.10.40.0-10.10.40.15.
Fix Provided
In version 13.1, this issue has been resolved and ranges are now properly computed.
Tips: There are many third-party online tools that can be used to check the range of IP Addresses against a given CIDR value. These may be used to verify whether your CIDR matches desired network behavior.
Potential production impacts
An upgrade to version 13.1 or later may impact the list of IP Addresses generated from a given CIDR. Administrators should consider potential user access issues due to these changes.
User constraints under the User Management section are more likely to be affected as the CIDR is utilized directly unlike the IP Firewall management section, which stores IP Address range in simple range format. (Please refer to the example snapshots above).
Mitigation
If an IP address which was part of the expected list gets excluded due to the fix above, administrators can always use other options for providing an IP range such as simple range format or entering a single address.
For example, in the image below, if an administrator wanted to retain the IP addresses beyond 10.10.40.15 after using CIDR “10.10.40.0/28” due to the new calculation, they can provide those range using simple range format, such as “10.10.40.16-10.10.40.20,” or with a single address, such as “10.10.40.21”.
Possible Values without impacting existing IP Range
Feedback
As always, we look forward to hearing how our customers use Cerberus and any additional improvements that would help make Cerberus FTP Server better. We would love to hear your feedback.