IP Filters
By default, OIBus only accepts connections from the local machine. Any remote workstation that needs to reach the OIBus web interface or API must have its IP address explicitly allowed through an IP filter rule.
The following addresses are permanently allowed and cannot be removed:
127.0.0.1, ::1, ::ffff:127.0.0.1, ::ffff:7f00:1, 0:0:0:0:0:0:0:1
Address Format
Each IP filter rule contains a single address field. OIBus supports IPv4, IPv6, and wildcard patterns.
| Pattern | Example | Matches |
|---|---|---|
| Exact IPv4 | 192.168.1.100 | Only that specific address |
| IPv4 wildcard | 192.168.1.* | All addresses from 192.168.1.0 to 192.168.1.255 |
| Exact IPv6 | 2001:db8::1 | Only that specific address |
| IPv6 prefix wildcard | 2001:db8:* | All addresses under that prefix |
| Allow all | * | Every remote address |
An IPv4 address entered as 192.168.1.100 is automatically also matched against its IPv6-mapped form
::ffff:192.168.1.100, so a single rule covers both connection types.
Managing Filters
IP filters are managed from Engine → IP Filters in the OIBus interface.
Each rule has two fields:
| Field | Description |
|---|---|
| Address | The IP address or pattern to allow (see formats above) |
| Description | Free-text note to identify the rule (e.g. Production SCADA server) |
Rules can be added, edited, and deleted at any time. Changes take effect immediately — no restart is required.
Adding a Filter via the API
Filters can also be created programmatically. The following example uses curl to add a rule that allows a
specific subnet:
curl --location 'http://localhost:2223/api/ip-filters' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
"address": "192.168.1.*",
"description": "Plant network"
}'
To allow all remote addresses (useful during initial setup):
curl --location 'http://localhost:2223/api/ip-filters' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
"address": "*",
"description": "Allow all traffic"
}'
For a complete list of available endpoints, visit the API documentation page.
IP filter rules apply to all incoming connections — both the OIBus web interface and the
proxy server. Allowing all IP addresses (*) therefore also opens the
proxy to every machine on the network. Because the proxy forwards requests without authentication, this can let
any reachable host relay arbitrary traffic through OIBus. Always restrict access to known IP addresses in
production.
- Use exact addresses or the narrowest wildcard that covers your needs (e.g.
192.168.10.*instead of*). - Add a clear description to each rule so you can identify and clean up stale entries later.
- Keep in mind that IP filter rules protect both the web interface and the proxy server — a rule that grants access to one grants access to both.
Test IP Filter Rules
Use the tester below to verify how your rules behave before applying them to a live instance. Enter one rule per line in the Filter Rules field, then enter the IP address you want to check and click Test.
The tester applies the same matching logic as OIBus:
- Localhost addresses are always considered allowed.
*matches any address.192.168.1.*matches any address whose first three octets are192.168.1.- An IPv4 address is also tested against its
::ffff:<ipv4>IPv6-mapped form.