Scope Manager
Override which networks count as internal/external, plus a hard deny list. Applies to every probe.
Default scope
Set at install: internal, external, or both. Meridian uses it to prevent accidentally scanning a public address from an internal-only deployment (or vice versa).
Per-network overrides
- Add a CIDR + label. Example:
10.0.0.0/8→ internal;203.0.113.0/24→ external. - Overlapping rules: most-specific prefix wins.
Deny list
A second layer: CIDRs that are always rejected regardless of scope. Use for things you should never probe — link-local, cloud metadata endpoints (169.254.169.254), broadcast addresses, your own management VLAN.
What enforces this
Every tool in Network Tools and DNS Tools calls enforce_scope(host, scope) before invoking the sandbox. Bypassing it requires code changes — not a config.
Gotchas
- Changing your install's default scope from
internaltobothis a policy change worth advertising to users — internal-tooling expectations may have developed.