qpid-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From conflue...@apache.org
Subject [CONF] Apache Qpid > Firewall Configuration
Date Fri, 13 Nov 2009 12:51:00 GMT
<html>
<head>
    <base href="http://cwiki.apache.org/confluence">
            <link rel="stylesheet" href="/confluence/s/1519/1/1/_/styles/combined.css?spaceKey=qpid&amp;forWysiwyg=true"
type="text/css">
    </head>
<body style="background-color: white" bgcolor="white">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
     <h2><a href="http://cwiki.apache.org/confluence/display/qpid/Firewall+Configuration">Firewall
Configuration</a></h2>
     <h4>Page <b>edited</b> by             <a href="http://cwiki.apache.org/confluence/display/~robbie">Robbie
Gemmell</a>
    </h4>
     
          <br/>
     <div class="notificationGreySide">
         <h2><a name="FirewallConfiguration-Configuration"></a>Configuration</h2>

<p>The access restrictions apply either to the server as a whole or too a particular
virtualhost. Rules are evaluated in the virtualhost first, then the server as a whole (most-specific
to least-specific). This allows whole netblocks to be restricted from all but one virtualhost.
A &lt;firewall&gt; element would appear in either the &lt;broker&gt;&lt;security&gt;
section or inside the equivalent &lt;virtualhost&gt;&lt;security&gt; element.</p>

<p>Elements inside &lt;firewall&gt; would be &lt;rule&gt; or &lt;xml
fileName="<a href="/confluence/pages/createpage.action?spaceKey=qpid&amp;title=path%22&amp;linkCreation=true&amp;fromPageId=115461"
class="createlink">path"</a>/&gt; which can be used to include further rules
at that point in the rule chain.</p>

<p>&lt;rule&gt; must have action and either hostname or network attributes.
The action attribute must be either allow or deny. Host contains a comma seperated list of
<a href="http://java.sun.com/docs/books/tutorial/essential/regex/" rel="nofollow">regexps</a>
against which it would match the reverse dns lookup of the connecting IP. Network contains
a comma seperated list of of CIDR networks against which the IP would be matched.</p>

<p>The first &lt;rule&gt; which matched the connection would apply. If no rules
applied, the default-action would apply.</p>

<p>For example, the following could appear in config.xml:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;broker&gt;
  &lt;security&gt;
    &lt;firewall <span class="code-keyword">default</span>-action=<span
class="code-quote">"deny"</span>&gt;
      &lt;rule permission=<span class="code-quote">"allow"</span> hostname=<span
class="code-quote">"*.qpid.apache.org"</span>/&gt;
      &lt;xml fileName=<span class="code-quote">"/path/to/file"</span> /&gt;
      &lt;rule permission=<span class="code-quote">"allow"</span> network=<span
class="code-quote">"192.168.1.0/24"</span> /&gt;
      &lt;rule permission=<span class="code-quote">"allow"</span> network=<span
class="code-quote">"10.0.0.0/8"</span> /&gt;
    &lt;/firewall &gt;
  &lt;security&gt;
&lt;broker&gt;

[...]
&lt;virtualhosts&gt;
  &lt;virtualhost&gt;
    &lt;name&gt;prod&lt;/name&gt;
    &lt;prod&gt;
      &lt;security&gt;
        &lt;firewall&gt;
          &lt;rule permission=<span class="code-quote">"deny"</span> network=<span
class="code-quote">"192.168.1.0/24"</span>/&gt;
        &lt;/firewall&gt;
      &lt;/security&gt;
     &lt;/prod&gt;
  &lt;/virtualhost&gt;
&lt;/virtualhosts&gt;
</pre>
</div></div>
<p>Any machine in the 192.168.1.0/24 network would be allowed access to any virtualhost
other than prod<br/>
Any machine in the qpid.apache.org domain would be allowed access to any virtualhost<br/>
Any machine in the 10.0.0.0/8 network would be allowed access to any virtual host<br/>
Any other machine would be denied access.</p>

<p>Changes would be possible while broker was running via commons-configuration magic
when the file is editted. Existing connections would be unaffected by a new rule.</p>

<h2><a name="FirewallConfiguration-Examples"></a>Examples</h2>

<p>Denying everybody but foo.bar.com:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;firewall <span class="code-keyword">default</span>-action=<span class="code-quote">"deny"</span>&gt;
  &lt;rule access=<span class="code-quote">"allow"</span> hostname=<span
class="code-quote">"foo.bar.com"</span>/&gt;
&lt;/firewall&gt;
</pre>
</div></div>

<p>Denying everybody outside of bar.com:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;firewall <span class="code-keyword">default</span>-action=<span class="code-quote">"deny"</span>&gt;
  &lt;rule access=<span class="code-quote">"allow"</span> hostname=<span
class="code-quote">".*bar.com"</span>/&gt;
&lt;/firewall&gt;
</pre>
</div></div>

<p>Allowing everybody except Baxcorp:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;firewall <span class="code-keyword">default</span>-action=<span class="code-quote">"allow"</span>&gt;
  &lt;rule access=<span class="code-quote">"deny"</span> hostname=<span
class="code-quote">".*baxcorp.*"</span>/&gt;
&lt;/firewall&gt;
</pre>
</div></div>

<p>Deny everybody except one machine:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;firewall <span class="code-keyword">default</span>-action=<span class="code-quote">"deny"</span>&gt;
  &lt;rule access=<span class="code-quote">"allow"</span> network=<span
class="code-quote">"192.168.1.2"</span>/&gt;
&lt;/firewall&gt;
</pre>
</div></div>

<p>Allow everybody except one machine:</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;firewall <span class="code-keyword">default</span>-action=<span class="code-quote">"allow"</span>&gt;
  &lt;rule access=<span class="code-quote">"deny"</span> network=<span
class="code-quote">"192.168.1.2"</span>/&gt;
&lt;/firewall&gt;
</pre>
</div></div>

<p>Deny everybody except machines in the range 192.168.1.0-192.168.1.255</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;firewall <span class="code-keyword">default</span>-action=<span class="code-quote">"deny"</span>&gt;
  &lt;rule access=<span class="code-quote">"allow"</span> network=<span
class="code-quote">"192.168.1.0/24"</span>/&gt;
&lt;/firewall&gt;
</pre>
</div></div>

<p>Allow everybody except machines in the range 192.168.1.0-192.168.1.255</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;firewall <span class="code-keyword">default</span>-action=<span class="code-quote">"allow"</span>&gt;
  &lt;rule access=<span class="code-quote">"deny"</span> network=<span
class="code-quote">"192.168.1.0/24"</span>/&gt;
&lt;/firewall&gt;
</pre>
</div></div>

<p>Allow everybody except machines in the range 192.168.0.0-192.168.255.255 unless it's
192.168.1.2, has the magic word in the hostname or is in the IP range 192.168.23.0-192.168.23.255</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
&lt;firewall <span class="code-keyword">default</span>-action=<span class="code-quote">"allow"</span>&gt;
  &lt;rule access=<span class="code-quote">"allow"</span> network=<span
class="code-quote">"192.168.1.2"</span>/&gt;
  &lt;rule access=<span class="code-quote">"allow"</span> hostname=<span
class="code-quote">".*please.*"</span>/&gt;
  &lt;rule access=<span class="code-quote">"allow"</span> network=<span
class="code-quote">"192.168.23.0/24"</span>/&gt;
  &lt;rule access=<span class="code-quote">"deny"</span> network=<span
class="code-quote">"192.168.0.0/16"</span>/&gt;
&lt;/firewall&gt;
</pre>
</div></div>

<p>Complete example configuration files are attached to this page: 
    
    

            <table class="tableview attachments">
            <tr>
                                    <th>&nbsp;</th>
                                <th><a href="/confluence/display/qpid/Firewall+Configuration?sortBy=name">Name</a></th>
                <th><a href="/confluence/display/qpid/Firewall+Configuration?sortBy=size">Size</a></th>
                <th>Creator (Last Modifier)</th>
                <th><a href="/confluence/display/qpid/Firewall+Configuration?sortBy=date">Creation
Date</a></th>
                <th>Last Mod Date</th>
                <th>Comment</th>
                                    <th>&nbsp;</th>
                            </tr>

            
                <tr class="currentAttachmentRow">
                                    <td><img align="absmiddle" height="16" width="16"
src="/confluence/images/border/spacer.gif"></td>
                                    <td><a name="Firewall+Configuration-attachment-firewall-test-4-allow-ip-deny-default.xml"><img
src="/confluence/images/icons/attachments/xml.gif" height=16 width=16 border=0 vspace=1 align=absmiddle
alt="XML File"></a> <a href="/confluence/download/attachments/115461/firewall-test-4-allow-ip-deny-default.xml">firewall-test-4-allow-ip-deny-default.xml</a></td>
                    <td>3 kB</td>
                    <td><a href="/confluence/display/~aidan">Aidan Skinner</a>
</td>
                    <td>Apr 22, 2009</td>
                    <td>Apr 22, 2009</td>
                    <td>                            &nbsp;
                                            </td>
                                        <td>
                                                                                         
                <a  id="editAttachmentLink"  href="/confluence/pages/editattachment.action?pageId=115461&fileName=firewall-test-4-allow-ip-deny-default.xml"
>Edit</a>
                                                                                  |      
                      <a  id="removeAttachmentLink"  href="/confluence/pages/removeattachment.action?pageId=115461&fileName=firewall-test-4-allow-ip-deny-default.xml&version=1"
 class="deleteAttachmentLink" >Remove</a>
                                                            <fieldset class="hidden">
                                    <input type="hidden" name="i18n-deleteConfirmMessage"
value="Are you sure you want to remove attached file firewall-test-4-allow-ip-deny-default.xml?"
/>
                                </fieldset>
                                                                         </td>
                                    </tr>
                                    
            
                <tr class="currentAttachmentRow">
                                    <td><img align="absmiddle" height="16" width="16"
src="/confluence/images/border/spacer.gif"></td>
                                    <td><a name="Firewall+Configuration-attachment-firewall-test-5-deny-ip-allow-default.xml"><img
src="/confluence/images/icons/attachments/xml.gif" height=16 width=16 border=0 vspace=1 align=absmiddle
alt="XML File"></a> <a href="/confluence/download/attachments/115461/firewall-test-5-deny-ip-allow-default.xml">firewall-test-5-deny-ip-allow-default.xml</a></td>
                    <td>3 kB</td>
                    <td><a href="/confluence/display/~aidan">Aidan Skinner</a>
</td>
                    <td>Apr 22, 2009</td>
                    <td>Apr 22, 2009</td>
                    <td>                            &nbsp;
                                            </td>
                                        <td>
                                                                                         
                <a  id="editAttachmentLink"  href="/confluence/pages/editattachment.action?pageId=115461&fileName=firewall-test-5-deny-ip-allow-default.xml"
>Edit</a>
                                                                                  |      
                      <a  id="removeAttachmentLink"  href="/confluence/pages/removeattachment.action?pageId=115461&fileName=firewall-test-5-deny-ip-allow-default.xml&version=1"
 class="deleteAttachmentLink" >Remove</a>
                                                            <fieldset class="hidden">
                                    <input type="hidden" name="i18n-deleteConfirmMessage"
value="Are you sure you want to remove attached file firewall-test-5-deny-ip-allow-default.xml?"
/>
                                </fieldset>
                                                                         </td>
                                    </tr>
                                    
            
                <tr class="currentAttachmentRow">
                                    <td><img align="absmiddle" height="16" width="16"
src="/confluence/images/border/spacer.gif"></td>
                                    <td><a name="Firewall+Configuration-attachment-firewall-test-3-deny-hostname-allow-default.xml"><img
src="/confluence/images/icons/attachments/xml.gif" height=16 width=16 border=0 vspace=1 align=absmiddle
alt="XML File"></a> <a href="/confluence/download/attachments/115461/firewall-test-3-deny-hostname-allow-default.xml">firewall-test-3-deny-hostname-allow-default.xml</a></td>
                    <td>3 kB</td>
                    <td><a href="/confluence/display/~aidan">Aidan Skinner</a>
</td>
                    <td>Apr 22, 2009</td>
                    <td>Apr 22, 2009</td>
                    <td>                            &nbsp;
                                            </td>
                                        <td>
                                                                                         
                <a  id="editAttachmentLink"  href="/confluence/pages/editattachment.action?pageId=115461&fileName=firewall-test-3-deny-hostname-allow-default.xml"
>Edit</a>
                                                                                  |      
                      <a  id="removeAttachmentLink"  href="/confluence/pages/removeattachment.action?pageId=115461&fileName=firewall-test-3-deny-hostname-allow-default.xml&version=1"
 class="deleteAttachmentLink" >Remove</a>
                                                            <fieldset class="hidden">
                                    <input type="hidden" name="i18n-deleteConfirmMessage"
value="Are you sure you want to remove attached file firewall-test-3-deny-hostname-allow-default.xml?"
/>
                                </fieldset>
                                                                         </td>
                                    </tr>
                                    
            
                <tr class="currentAttachmentRow">
                                    <td><img align="absmiddle" height="16" width="16"
src="/confluence/images/border/spacer.gif"></td>
                                    <td><a name="Firewall+Configuration-attachment-firewall-test-2-allow-client-deny-default.xml"><img
src="/confluence/images/icons/attachments/xml.gif" height=16 width=16 border=0 vspace=1 align=absmiddle
alt="XML File"></a> <a href="/confluence/download/attachments/115461/firewall-test-2-allow-client-deny-default.xml">firewall-test-2-allow-client-deny-default.xml</a></td>
                    <td>3 kB</td>
                    <td><a href="/confluence/display/~aidan">Aidan Skinner</a>
</td>
                    <td>Apr 22, 2009</td>
                    <td>Apr 22, 2009</td>
                    <td>                            &nbsp;
                                            </td>
                                        <td>
                                                                                         
                <a  id="editAttachmentLink"  href="/confluence/pages/editattachment.action?pageId=115461&fileName=firewall-test-2-allow-client-deny-default.xml"
>Edit</a>
                                                                                  |      
                      <a  id="removeAttachmentLink"  href="/confluence/pages/removeattachment.action?pageId=115461&fileName=firewall-test-2-allow-client-deny-default.xml&version=1"
 class="deleteAttachmentLink" >Remove</a>
                                                            <fieldset class="hidden">
                                    <input type="hidden" name="i18n-deleteConfirmMessage"
value="Are you sure you want to remove attached file firewall-test-2-allow-client-deny-default.xml?"
/>
                                </fieldset>
                                                                         </td>
                                    </tr>
                                    
            
                <tr class="currentAttachmentRow">
                                    <td><img align="absmiddle" height="16" width="16"
src="/confluence/images/border/spacer.gif"></td>
                                    <td><a name="Firewall+Configuration-attachment-firewall-test-1-no-restrictions.xml"><img
src="/confluence/images/icons/attachments/xml.gif" height=16 width=16 border=0 vspace=1 align=absmiddle
alt="XML File"></a> <a href="/confluence/download/attachments/115461/firewall-test-1-no-restrictions.xml">firewall-test-1-no-restrictions.xml</a></td>
                    <td>3 kB</td>
                    <td><a href="/confluence/display/~aidan">Aidan Skinner</a>
</td>
                    <td>Apr 22, 2009</td>
                    <td>Apr 22, 2009</td>
                    <td>                            &nbsp;
                                            </td>
                                        <td>
                                                                                         
                <a  id="editAttachmentLink"  href="/confluence/pages/editattachment.action?pageId=115461&fileName=firewall-test-1-no-restrictions.xml"
>Edit</a>
                                                                                  |      
                      <a  id="removeAttachmentLink"  href="/confluence/pages/removeattachment.action?pageId=115461&fileName=firewall-test-1-no-restrictions.xml&version=1"
 class="deleteAttachmentLink" >Remove</a>
                                                            <fieldset class="hidden">
                                    <input type="hidden" name="i18n-deleteConfirmMessage"
value="Are you sure you want to remove attached file firewall-test-1-no-restrictions.xml?"
/>
                                </fieldset>
                                                                         </td>
                                    </tr>
                                    
            
                <tr class="currentAttachmentRow">
                                    <td><img align="absmiddle" height="16" width="16"
src="/confluence/images/border/spacer.gif"></td>
                                    <td><a name="Firewall+Configuration-attachment-firewall-test-7-deny-cidr-allow-default.xml"><img
src="/confluence/images/icons/attachments/xml.gif" height=16 width=16 border=0 vspace=1 align=absmiddle
alt="XML File"></a> <a href="/confluence/download/attachments/115461/firewall-test-7-deny-cidr-allow-default.xml">firewall-test-7-deny-cidr-allow-default.xml</a></td>
                    <td>3 kB</td>
                    <td><a href="/confluence/display/~aidan">Aidan Skinner</a>
</td>
                    <td>Apr 22, 2009</td>
                    <td>Apr 22, 2009</td>
                    <td>                            &nbsp;
                                            </td>
                                        <td>
                                                                                         
                <a  id="editAttachmentLink"  href="/confluence/pages/editattachment.action?pageId=115461&fileName=firewall-test-7-deny-cidr-allow-default.xml"
>Edit</a>
                                                                                  |      
                      <a  id="removeAttachmentLink"  href="/confluence/pages/removeattachment.action?pageId=115461&fileName=firewall-test-7-deny-cidr-allow-default.xml&version=1"
 class="deleteAttachmentLink" >Remove</a>
                                                            <fieldset class="hidden">
                                    <input type="hidden" name="i18n-deleteConfirmMessage"
value="Are you sure you want to remove attached file firewall-test-7-deny-cidr-allow-default.xml?"
/>
                                </fieldset>
                                                                         </td>
                                    </tr>
                                    
            
                <tr class="currentAttachmentRow">
                                    <td><img align="absmiddle" height="16" width="16"
src="/confluence/images/border/spacer.gif"></td>
                                    <td><a name="Firewall+Configuration-attachment-firewall-test-6-allow-cidr-deny-default.xml"><img
src="/confluence/images/icons/attachments/xml.gif" height=16 width=16 border=0 vspace=1 align=absmiddle
alt="XML File"></a> <a href="/confluence/download/attachments/115461/firewall-test-6-allow-cidr-deny-default.xml">firewall-test-6-allow-cidr-deny-default.xml</a></td>
                    <td>3 kB</td>
                    <td><a href="/confluence/display/~aidan">Aidan Skinner</a>
</td>
                    <td>Apr 22, 2009</td>
                    <td>Apr 22, 2009</td>
                    <td>                            &nbsp;
                                            </td>
                                        <td>
                                                                                         
                <a  id="editAttachmentLink"  href="/confluence/pages/editattachment.action?pageId=115461&fileName=firewall-test-6-allow-cidr-deny-default.xml"
>Edit</a>
                                                                                  |      
                      <a  id="removeAttachmentLink"  href="/confluence/pages/removeattachment.action?pageId=115461&fileName=firewall-test-6-allow-cidr-deny-default.xml&version=1"
 class="deleteAttachmentLink" >Remove</a>
                                                            <fieldset class="hidden">
                                    <input type="hidden" name="i18n-deleteConfirmMessage"
value="Are you sure you want to remove attached file firewall-test-6-allow-cidr-deny-default.xml?"
/>
                                </fieldset>
                                                                         </td>
                                    </tr>
                                    
                    </table>
    
    </p>
     </div>
     <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;">
            <a href="http://cwiki.apache.org/confluence/users/viewnotifications.action"
class="grey">Change Notification Preferences</a>
       </div>

       <a href="http://cwiki.apache.org/confluence/display/qpid/Firewall+Configuration">View
Online</a>
       |
       <a href="http://cwiki.apache.org/confluence/pages/diffpagesbyversion.action?pageId=115461&revisedVersion=9&originalVersion=8">View
Change</a>
              |
       <a href="http://cwiki.apache.org/confluence/display/qpid/Firewall+Configuration?showComments=true&amp;showCommentArea=true#addcomment">Add
Comment</a>
            </div>
</div>
</div>
</div>
</div>
</body>
</html>

---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project:      http://qpid.apache.org
Use/Interact: mailto:commits-subscribe@qpid.apache.org


Mime
View raw message