CIDR Allowlist Risk Checker

Allowlist CIDRs:

Use labels, ports, owners, and expiry dates when you need a review queue instead of a bare range list.

{{ params.source.length.toLocaleString() }} chars

Reviewed ports:

Broad ranges on admin, database, mail, or all-port rules are elevated in the risk queue.

Exposure context:

Choose the policy surface closest to the reviewed firewall, WAF, VPN, SaaS, or internal rule.

Review allowlist input

{{ error }}

Policy name:

Optional review name for the exported evidence package.

Broad IPv4 threshold:

Use /16 for conservative internet-facing reviews; lower values reduce broad-range findings.

Broad IPv6 threshold:

Use /48 for organization-scale IPv6 review and /64 when host subnet breadth matters.

Expiry warning window:

Set to 0 if your review process does not track temporary allowlist expiry dates.

days

Host-bit handling:

Normalize keeps common spreadsheet exports usable while recording the correction in the ledger.

{{ header }}	Copy
{{ cell }}
No rows for the current input.

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

CIDR allowlists turn source addresses into access policy. A single broad range can change a tight firewall or SaaS rule into one that accepts traffic from far more places than the reviewer intended, especially when the allowed ports include administration, database, file sharing, or remote desktop services.

Allowlist risk is not only about whether a CIDR is valid. The same address block can be reasonable for a partner API, too wide for an SSH rule, meaningless in an internet-facing policy when it is a documentation range, or stale because a temporary exception never expired. A useful review asks how many addresses the range covers, what scope the addresses belong to, which service ports are attached, who owns the exception, and whether another row already covers the same source.

Diagram showing a wide CIDR and sensitive ports feeding a risk score and triage queue, while a narrow reviewed range stays lower risk.

Broad ranges deserve special attention because CIDR breadth grows quickly as the prefix gets shorter. An IPv4 /32 names one address, a /27 names 32 addresses, a /16 names 65,536 addresses, and 0.0.0.0/0 names every IPv4 address. IPv6 ranges grow even faster, so a prefix that looks short on screen can still cover a very large source population.

The safest reading is a review queue, not a penetration test and not proof that a rule is active in a firewall. A high score means the row deserves human review because its source breadth, ports, metadata, dates, or overlap pattern can make the allowlist harder to justify.

Technical Details:

Classless Inter-Domain Routing, or CIDR, writes an IP network as an address plus a prefix length. The prefix length says how many leading bits are fixed as the network part. A shorter prefix leaves more host bits and therefore covers more possible source addresses. In an allowlist, that breadth is the starting point for risk because each added address is another possible source that can reach the protected listener if the rule is active.

Address scope changes the interpretation. RFC 1918 private IPv4 ranges, shared carrier-grade NAT space, loopback, link-local, benchmark, multicast, reserved, and documentation ranges do not mean the same thing as public IPv4 space. IPv6 has similar special-use categories, including unique local, link-local, multicast, 6to4 transition, unspecified, loopback, and documentation prefixes. A private or documentation source may make sense inside a VPN or internal policy, but it should slow an internet-facing review because it usually does not identify a public client by itself.

Address count follows the same simple relationship for IPv4 and IPv6. The number of possible addresses is two raised to the number of host bits left by the prefix.

addresses = 2^{bits - prefix}

For IPv4, bits is 32. For IPv6, bits is 128. That is why 203.0.113.64/27 covers 2^(32 - 27), or 32 IPv4 addresses, while 2001:db8::/32 covers 2^(128 - 32) IPv6 addresses.

Core CIDR allowlist risk rules
Risk signal	Rule used in the review	Resulting cue
Internet-wide source	Prefix length is `/0`.	`Internet-wide allowlist source`, Critical.
Broad public CIDR	Public-like source has prefix length less than or equal to the configured broad threshold. Defaults are IPv4 `/16` and IPv6 `/48`.	High by default, Critical for IPv4 `/8` or shorter.
Broad non-public CIDR	Private, special, or documentation source is still broad for its address family.	Medium, with a prompt to confirm the rule is not exposed on an internet-facing listener.
Sensitive service exposure	High-risk ports appear on a broad source, an internet-wide source, or an administrative access review.	Critical for `/0` or administrative access, otherwise High.
Time and ownership gaps	Expired dates, dates inside the warning window, invalid date format, missing owner, or missing review date.	High, Medium, or Low findings depending on the gap.
Overlap	Same-family ranges duplicate, contain, or partially overlap one another.	Relationship rows plus overlap participation findings.

Port parsing accepts numeric ports, ranges, all-port tokens such as any or *, and common service names including ssh, rdp, mysql, postgres, https, and winrm. The high-risk service list includes administration, database, file sharing, mail, directory, cache, and search ports. HTTPS is accepted as a service name, but it is not treated as a high-risk port by itself.

Inputs and outputs used by the checker
Surface	Accepted or returned values	Why it matters
`Allowlist CIDRs`	One CIDR per line, a bare host address, or CSV rows with label, CIDR, ports, owner, expiry, and note fields.	Labels, owners, dates, and notes turn a range list into an accountable review queue.
`Reviewed ports`	Default ports applied when a row has no port list.	Broad source ranges become more urgent when they expose administrative or data services.
`Exposure context`	`Internet-facing ingress`, `Administrative access`, `Partner or SaaS API`, or `Internal-only policy`.	The same CIDR can carry a different review burden depending on where the rule is enforced.
`Host-bit handling`	Normalize host bits to the network boundary or reject CIDRs whose host bits are set.	Normalization keeps messy spreadsheets usable; strict mode catches source rows that are not already canonical.
`Risk Triage Queue`	Severity, finding, CIDR, ports, owner, evidence, and action.	The queue orders the concrete review work before approval.
`CIDR Exposure Ledger`	Canonical CIDR, address family, prefix, address count, scope, score, and status.	The ledger shows how each source row was normalized and classified.
`Overlap & Coverage Review`	Duplicate, containment, partial-overlap, and unique coverage rows.	Overlap rows find broad parent rules that may make narrower exceptions redundant.
`Exposure Pressure Map`	Scatter chart with address breadth on a log scale and risk score from 0 to 100.	The chart makes very wide ranges and high scores stand out during review.

Severity is built from finding severity and numeric score. Critical findings dominate. High findings return High unless a Critical finding is present. When no High or Critical finding exists, scores of 80 or more become Critical, scores of 55 or more become High, scores of 30 or more become Medium, and any positive score becomes Low. A zero score is Clear. Overlap participation can add up to 12 points to a row, capped at a total score of 100.

Status labels and their practical meaning
Status	When it appears	Practical reading
`Critical review`	Severity is Critical.	Pause approval until the source range, sensitive ports, date, and owner evidence are explained.
`Reduce source range`	Severity is High.	Replace the row with narrower partner NAT, VPN egress, provider, or host entries when possible.
`Review evidence`	Severity is Medium.	Check scope mismatch, broad non-public ranges, upcoming expiry, or overlap before acceptance.
`Clean up metadata`	Severity is Low.	Fix owner, date, canonical CIDR, or host notation so the next review is easier.
`Allowlist shape OK`	No findings were generated.	The row has no shape issue under the current settings, but policy approval still depends on your environment.

Everyday Use & Decision Guide:

Start with the range list exactly as reviewers see it in the firewall, WAF, VPN, SaaS, or ticket export. Add owner and expiry columns when you have them. A row with 0.0.0.0/0, 22, and no review date should jump to the front of the queue, while a narrow partner NAT range on 443 should mostly be checked for scope, ownership, and overlap.

Choose Exposure context before reading the scores. Administrative access intentionally treats sensitive ports more harshly. Internal-only policy reduces scope-mismatch pressure for private and special-use ranges, but it does not make broad database or remote access rules harmless.

Use the default broad thresholds for a first pass: IPv4 /16 and IPv6 /48. Tighten them only when your policy expects smaller partner or host ranges.
Put row-specific ports in the source CSV when different allowlist entries protect different services. Use Reviewed ports as a fallback for bare CIDR rows.
Leave Host-bit handling on normalize when reviewing messy exports. Switch to strict mode when you want non-canonical rows to fail instead of being corrected.
Use Normalize only after the result is valid. It rewrites the source into canonical label, CIDR, ports, owner, expiry, and note columns.
Check Overlap & Coverage Review before accepting a narrow exception. A parent CIDR may already include it.

The main wrong assumption is that a lower score proves a rule is safe. A Clear or Low row only means the checker did not find the specific shape problems it knows how to score. It does not know whether the business need is real, whether the firewall rule is deployed, whether a provider IP list is current, or whether the protected application has its own authentication controls.

For approval work, copy the triage table into the ticket only after the summary, ledger, and overlap review agree. If the evidence says Reduce source range or Critical review, ask for a narrower source, an accountable owner, a review date, or a maintained provider list before treating the exception as ready.

Step-by-Step Guide:

Review one policy surface at a time so the summary, triage rows, ledger, and chart describe the same access question.

Paste rows into Allowlist CIDRs. Use one CIDR per line or CSV columns such as label,cidr,ports,owner,expires,note. Blank lines and lines starting with # are ignored.
Set Reviewed ports for rows that do not carry their own ports. Service names such as ssh, rdp, mysql, postgres, and https are accepted.
Choose Exposure context. Use internet-facing ingress for public listeners, administrative access for SSH/RDP/management paths, partner or SaaS API for integration allowlists, and internal-only policy for internal control-plane rules.
Open Advanced if the default breadth or date settings do not match your review. Adjust Broad IPv4 threshold, Broad IPv6 threshold, Expiry warning window, and Host-bit handling.
Read the summary first. Critical risk 95/100 means at least one row has a severe shape issue; Needs CIDRs means the page has no valid ranges to score.
Open Risk Triage Queue and handle the highest severity rows first. Use the Evidence and Action columns as the direct review notes.
Open CIDR Exposure Ledger to confirm canonical CIDR, address count, scope, score, and status for each source row.
Open Overlap & Coverage Review before approval. Resolve duplicate, parent-child, or partial-overlap rows so each exception has one clear purpose.
If a validation message appears, fix the source row it names. For example, strict mode can report CIDR host bits are set; either correct the CIDR boundary or switch back to normalize mode for a cleanup pass.

A clean finish is a triage queue with no Critical or High findings, a ledger whose owners and dates make sense, and an overlap review that does not hide broad parent rules.

Interpreting Results:

The highest-value output is the first few rows in Risk Triage Queue. Those rows name the concrete finding, the affected CIDR, the ports that made it worse, the owner field, the evidence sentence, and the proposed action. Treat those rows as review prompts, not automatic change orders.

Internet-wide allowlist source means a /0 range matched every address in that family. Replace it with named provider ranges, partner NATs, VPN egress addresses, or a maintained service tag when possible.
Sensitive service exposure is most urgent when the ports are SSH, RDP, database, file sharing, remote management, cache, or similar services. The same port list on Administrative access deserves extra scrutiny.
Source scope mismatch means the range is private, special, or documentation space in a context where a public client source might have been expected. Confirm NAT, proxy, VPN, or service-tag intent before relying on it.
Review date missing and Allowlist row expires soon are process findings. They do not prove bad traffic, but they often explain why temporary exceptions stay around too long.
Overlap participation means the row shares addresses with another same-family row. Check whether the broader parent should be removed or whether the narrower child still needs its own owner and date.

Do not let a tidy chart point create false confidence. The Exposure Pressure Map helps spot wide and high-scoring ranges quickly, but the decision should come from the triage evidence, canonical CIDR, scope label, owner, expiry date, and overlap relationship together.

Worked Examples:

Emergency admin range

A row such as Emergency admin,0.0.0.0/0,22;3389,infra,2026-05-20,temporary produces Critical risk 95/100 on the default settings. Risk Triage Queue shows Internet-wide allowlist source, Sensitive service exposure, and an expiry warning because the date is inside the 21-day window on May 6, 2026. CIDR Exposure Ledger reports 4,294,967,296 IPv4 addresses and status Critical review, so the useful next request is a narrower VPN, jump-host, partner NAT, or maintained provider source.

Partner API row using documentation space

A row such as Partner API,203.0.113.64/27,443,api-owner,2026-08-31,approved is narrow at 32 addresses and does not expose a high-risk service under the port list. The result still shows Medium risk 38/100 because 203.0.113.64/27 sits inside Documentation TEST-NET. That finding is useful for examples and training data, but a real partner rule should be checked against the partner's actual public NAT or provider source list.

Parent range hides a child exception

Two rows, 203.0.113.64/27 and 203.0.113.70/32, produce one containment relationship in Overlap & Coverage Review. The review row says 203.0.113.64/27 contains 203.0.113.70/32 with one shared address, while the unique IPv4 coverage remains 32 addresses. That means the child row may be redundant unless it needs separate ownership, expiry, or approval evidence.

Strict mode catches a non-canonical CIDR

With Host-bit handling set to strict, 203.0.113.70/27 returns Line 1: CIDR host bits are set in 203.0.113.70/27 and the summary changes to Needs CIDRs. In normalize mode, the same source would be corrected to the network boundary and logged as Host bits normalized. Strict mode is better for cleanup gates; normalize mode is better for turning a messy export into a reviewable ledger.

FAQ:

Can I paste a firewall export instead of hand-entering CIDRs?

Yes. Paste CSV-style rows with label, CIDR, ports, owner, expiry, and note fields, or use Browse for a text-like file under 512 KiB. The parser analyzes the first 700 non-blank, non-comment rows.

What happens if a row has no slash prefix?

A bare IPv4 host is treated as /32 and a bare IPv6 host is treated as /128. The triage queue can add Host address converted to CIDR so the source inventory can be cleaned up.

Why is a private or documentation CIDR flagged?

In any context except Internal-only policy, private, special, and documentation ranges can produce Source scope mismatch. The warning asks you to confirm NAT, proxy, VPN, or service-tag intent because those ranges usually do not identify public clients.

Does the checker test my firewall rule?

No. The allowlist text is processed in the browser. The checker does not contact the listed CIDRs, inspect the firewall, or verify that a provider range is current.

What should I do when strict mode reports host bits?

Correct the row to the real network boundary, such as changing a host-bearing /27 to the canonical /27 network, or switch Host-bit handling back to normalize mode and then use Normalize to rewrite the source ledger.

Glossary:

CIDR: Address notation that combines an IP address and prefix length, such as 203.0.113.64/27.
Prefix length: The number after the slash that says how many leading address bits are fixed as the network part.
Host bits: The remaining address bits after the prefix; non-zero host bits make a CIDR input non-canonical for its network boundary.
RFC 1918: The IPv4 private address ranges 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
Documentation TEST-NET: IPv4 example ranges such as 192.0.2.0/24, 198.51.100.0/24, and 203.0.113.0/24.
Unique local: IPv6 local-use space under fc00::/7, commonly seen in internal or VPN-style designs.
Overlap: A same-family relationship where one allowlist CIDR duplicates, contains, or partially shares addresses with another row.

References:

Guidelines on Firewalls and Firewall Policy, NIST, September 2009.
Classless Inter-domain Routing (CIDR): The Internet Address Assignment and Aggregation Plan, IETF, August 2006.
Address Allocation for Private Internets, IETF, February 1996.
IPv4 Special-Purpose Address Space, IANA, last updated October 9, 2025.
IPv6 Special-Purpose Address Space, IANA.
Unique Local IPv6 Unicast Addresses, IETF, October 2005.