IP Safelist
Never block your
legitimate users.
IP safelists ensure that your known-good addresses are never blocked by auto-mitigation rules during an attack. Add player IPs, API consumers, office networks, and upstream providers to a per-node or workspace-wide allowlist that every firewall rule respects.
How It Works
Safelisted IPs are exempt from every automated action.
When Flowtriq's auto-mitigation fires a firewall rule, it checks the safelist before executing. Any IP or CIDR range on the safelist is excluded from the block command. The mitigation still runs against all other traffic, but your known-good sources keep flowing.
Safelists can be scoped per-node (only applies to rules on that server) or workspace-wide (applies to every node in your workspace). You can mix both: a workspace-wide list for office IPs and a per-node list for game server players.
Entries support individual IPs (192.168.1.1), CIDR ranges (10.0.0.0/8), and IPv6. Each entry has an optional label so you know what it protects months later.
| Scope | Per-node or workspace-wide |
| Format | IPv4, IPv6, CIDR notation |
| Labels | Optional description per entry |
| Limit | Up to 10,000 entries per scope |
| Enforcement | Checked before every firewall rule execution |
| Management | Dashboard UI, API, or CSV import |
Action: iptables drop UDP INPUT
09:44:19 ⚠ Incident triggered
→ Checking safelist...
Safelist entries:
✓ 203.0.113.50 office-vpn
✓ 198.51.100.0/24 api-consumers
✓ 192.0.2.10 monitoring
→ 3 IPs/ranges excluded from block
→ iptables rule applied (safelisted IPs exempt)
✓ Mitigation active · safe traffic preserved
_
Who Should Be Safelisted
Protect the traffic that matters most
Player IPs
Safelist your active players so they stay connected during attacks. No more kicking legitimate users when auto-mitigation fires a broad UDP block.
Partner and client IPs
API consumers sending legitimate requests should never hit a block rule. Safelist their egress IPs or CIDR ranges workspace-wide.
Internal and VPN IPs
Your team's office IPs and VPN exit nodes should never be blocked. Add your corporate CIDR ranges to the workspace-wide safelist.
Health check sources
Uptime monitors, load balancer health checks, and CDN origin pulls. Blocking these causes false downtime alerts and failed failovers.
CDN and proxy IPs
Cloudflare, AWS CloudFront, and other CDN/proxy IP ranges. Blocking these kills all legitimate web traffic behind the proxy.
Webhook source IPs
Stripe, PayPal, and other payment webhooks originate from known IP ranges. Blocking them causes missed payment events and failed orders.
Without vs. With Safelist
Auto-mitigation without a safelist is a liability
No safelist
- Broad firewall rules block legitimate users alongside attackers
- Game server players get kicked during mitigation
- API consumers receive connection resets
- Monitoring systems report false downtime
- Payment webhooks fail silently
IP Safelist enabled
- Known-good IPs are exempt from every auto-mitigation rule
- Players stay connected throughout the attack
- API traffic flows uninterrupted
- Health checks pass, no false alerts
- Payment webhooks always reach your server
FAQ
Common questions about IP safelists
What if an attacker spoofs a safelisted IP?
IP spoofing is common in volumetric UDP floods but does not apply to TCP-based attacks (SYN floods, HTTP floods) where a full handshake is required. For UDP, safelisted IPs should be limited to sources you trust and that send TCP traffic. Spoofed UDP packets from a safelisted IP will pass through, but the volumetric flood from other sources is still blocked.
Can I import a large list of IPs?
Yes. The dashboard supports CSV import with columns for IP/CIDR and optional label. You can also manage the safelist via the API for automated updates from your infrastructure tooling.
Does the safelist apply to manual firewall rules too?
Yes. Every firewall rule, whether triggered automatically or queued manually from the dashboard, checks the safelist before executing. Safelisted IPs are always exempt.
Is there a limit to how many entries I can add?
Up to 10,000 entries per scope (per-node or workspace-wide). Each entry can be a single IP or a CIDR range, so a single /16 entry covers 65,536 addresses.
Related Features