TsgcWebSocketFirewall provides IP-based access control through two complementary mechanisms: a blacklist that blocks specific IPs and a whitelist that grants unconditional access to trusted IPs.
The blacklist prevents connections from specified IP addresses or IP ranges. When enabled, any incoming connection from a blacklisted IP is rejected before reaching the server's connection events.
| Property | Description |
| Blacklist.Enabled | Enables or disables blacklist checking. Default: False. |
| Blacklist.IPs | TStringList containing blocked IP addresses or CIDR ranges. |
Click the IPs property in the Object Inspector to open the String List editor. Add one IP or CIDR range per line:
192.168.1.100 10.0.0.0/8 172.16.0.0/12
server.Firewall.Blacklist.Enabled = true;
server.Firewall.Blacklist.IPs.Add("192.168.1.100");
server.Firewall.Blacklist.IPs.Add("10.0.0.0/8");
The whitelist grants unconditional access to specified IP addresses. Whitelisted IPs bypass all other firewall checks, including blacklist, brute force bans, rate limits, and message filtering.
| Property | Description |
| Whitelist.Enabled | Enables or disables whitelist checking. Default: False. |
| Whitelist.IPs | TStringList containing trusted IP addresses or CIDR ranges. |
// Allow internal network unconditionally
server.Firewall.Whitelist.Enabled = true;
server.Firewall.Whitelist.IPs.Add("192.168.1.0/24");
server.Firewall.Whitelist.IPs.Add("127.0.0.1");
When both blacklist and whitelist are enabled, the firewall evaluates them in this order:
1. If the IP is whitelisted, the connection is allowed immediately. No further checks are performed.
2. If the IP is blacklisted, the connection is denied.
3. If the IP is in neither list, the connection proceeds to other checks (brute force, rate limiting, etc.).
This means a whitelist entry always takes priority over a blacklist entry for the same IP.
Both blacklist and whitelist support CIDR (Classless Inter-Domain Routing) notation for specifying IP ranges:
| CIDR | Range | Addresses |
| 192.168.1.0/24 | 192.168.1.0 - 192.168.1.255 | 256 |
| 192.168.0.0/16 | 192.168.0.0 - 192.168.255.255 | 65,536 |
| 10.0.0.0/8 | 10.0.0.0 - 10.255.255.255 | 16,777,216 |
| 172.16.0.0/12 | 172.16.0.0 - 172.31.255.255 | 1,048,576 |
You can mix exact IPs and CIDR ranges in the same list:
server.Firewall.Blacklist.IPs.Add("203.0.113.50"); // single IP
server.Firewall.Blacklist.IPs.Add("198.51.100.0/24"); // entire subnet
A common pattern is to block a broad range but allow specific IPs within that range:
// Block the entire 10.x.x.x range
server.Firewall.Blacklist.Enabled = true;
server.Firewall.Blacklist.IPs.Add("10.0.0.0/8");
// But allow the monitoring server
server.Firewall.Whitelist.Enabled = true;
server.Firewall.Whitelist.IPs.Add("10.1.1.50");
In this example, all IPs in the 10.x.x.x range are blocked except 10.1.1.50, which is whitelisted and bypasses all checks.