Info |
---|
This page applies to Java Broker versions before 0.20. |
Configuration
The access restrictions apply either to the server as a whole or to a particular virtualhost. Rules are evaluated in the virtualhost first, then the server as a whole (most-specific to least-specific). This allows whole netblocks to be restricted from all but one virtualhost. A <firewall> element would appear in either the <broker><security> section or inside the equivalent <virtualhost><security> element.
Elements inside <firewall> would be <rule> or <xml fileName="path"/> which can be used to include further rules at that point in the rule chain.
<rule> must have action and either hostname or network attributes. The action attribute must be either allow or deny. Host contains a comma seperated list of regexps against which it would match the reverse dns lookup of the connecting IP. Network contains a comma seperated list of of CIDR networks against which the IP would be matched.
The first <rule> which matched the connection would apply. If no rules applied, the default-action would apply.
For example, the following could appear in config.xml:
Code Block |
---|
<broker> <security> <firewall default-action="deny"> <rule access="allow" hostname=".*\.qpid\.apache\.org"/> <rule access="allow" network="192.168.1.0/24" /> <rule access="allow" network="10.0.0.0/8" /> </firewall > </security> </broker> |
And the following could appear in virtualhosts.xml:
Code Block |
---|
<virtualhosts> <virtualhost> <name>prod</name> <prod> <security> <firewall> <rule access="deny" network="192.168.1.0/24"/> </firewall> </security> </prod> </virtualhost> </virtualhosts> |
Any machine in the 192.168.1.0/24 network would be allowed access to any virtualhost other than prod
Any machine in the qpid.apache.org domain would be allowed access to any virtualhost
Any machine in the 10.0.0.0/8 network would be allowed access to any virtual host
Any other machine would be denied access.
Changes would be possible while broker was running via commons-configuration magic when the file is edited. Existing connections would be unaffected by a new rule.
Examples
Denying everybody but foo.bar.com:
Code Block |
---|
<firewall default-action="deny"> <rule access="allow" hostname="foo\.bar\.com"/> </firewall> |
Denying everybody except those from with the bar.com domains:
Code Block |
---|
<firewall default-action="deny"> <rule access="allow" hostname=".*\.bar\.com"/> </firewall> |
Allowing everybody except those with baxcorp within the hostname:
Code Block |
---|
<firewall default-action="allow"> <rule access="deny" hostname=".*baxcorp.*"/> </firewall> |
Deny everybody except one machine:
Code Block |
---|
<firewall default-action="deny"> <rule access="allow" network="192.168.1.2"/> </firewall> |
Allow everybody except one machine:
Code Block |
---|
<firewall default-action="allow"> <rule access="deny" network="192.168.1.2"/> </firewall> |
Deny everybody except machines in the range 192.168.1.0-192.168.1.255
Code Block |
---|
<firewall default-action="deny"> <rule access="allow" network="192.168.1.0/24"/> </firewall> |
Allow everybody except machines in the range 192.168.1.0-192.168.1.255
Code Block |
---|
<firewall default-action="allow"> <rule access="deny" network="192.168.1.0/24"/> </firewall> |
Allow everybody except machines in the range 192.168.0.0-192.168.255.255 unless it's 192.168.1.2, has the magic word in the hostname or is in the IP range 192.168.23.0-192.168.23.255
Code Block |
---|
<firewall default-action="allow"> <rule access="allow" network="192.168.1.2"/> <rule access="allow" hostname=".*please.*"/> <rule access="allow" network="192.168.23.0/24"/> <rule access="deny" network="192.168.0.0/16"/> </firewall> |
Example using the <xml/> element to include firewall rules from another file:
Code Block |
---|
<firewall default-action="deny"> <xml fileName="/path/to/myrules.xml" /> </firewall> |
and myrules.xml contains the rules themselves:
Code Block |
---|
<firewall> <rule access="allow" network="192.168.0.0/16"/> </firewall> |
Complete example configuration files are attached to this page:
Attachments | ||
---|---|---|
|