/ Zope / Apsis / Pound Mailing List / Archive / 2013 / 2013-08 / Allow or Deny access by client ip range

[ << ] [ >> ]

[ e500 response error read / mark hardwick ... ] [ [PATCH] HTTP PATCH Method - RFC5789 / Liam Fraser ... ]

Allow or Deny access by client ip range
"Felix Zachlod" <fz.lists(at)sis-gmbh.info>
2013-08-12 11:31:32 [ FULL ]
Hello mailing list,

we just wondered if it was possible with pound to get something working like
an IP range filter.
We have some web services running which are only allowed for certain IP
ranges.

We currently handle this using firewall rules which has one caveat- we can
not run different host names on one IP with differnet filter sets- but for
saving ip-adresses we would like to do so.

We couldn't find aything like an option that allows only certain ip ranges
to access a service. Does something like tis exist?

Thank you in advance,
regards, Felix

Re: [Pound Mailing List] Allow or Deny access by client ip range
Emilio Campos <emilio.campos.martin(at)gmail.com>
2013-08-12 20:40:57 [ FULL ]
That I know there isn't support for this, but some member of the list
developed a patch that  was not added.

I think that it's very useful ad It would be a moment for take a thought
about to include this property

I attach the tread mail with the patch

http://www.apsis.ch/pound/pound_list/archive/2011/2011-04/1303208639000/index_html?fullMode=1




2013/8/12 Felix Zachlod <fz.lists(at)sis-gmbh.info>
[...]

[...]
Attachments:  
text.html text/html 2043 Bytes

AW: [Pound Mailing List] Allow or Deny access by client ip range
"Felix Zachlod" <fz.lists(at)sis-gmbh.info>
2013-08-13 12:38:08 [ FULL ]
Hello!
[...]

Thanks for the hint. So it seems it does not work right now. But the
suggested patch does not help directly as we'd need a whitelist and not a
blacklist.

While I think blacklists are not very helpful in general to achieve some
good level of security I disagree with what Robert was writing. Of course
there should be some security constraints at the application level but I
don't see a point why one should not combine this with security in the
network. Of course one needs some kind of authentication- authorization-
model in the application- but why not limit the people or systems that are
allowed to talk to the application at all. While it is generally true that
the source ip address is not abolutely safe for filtering requests cause it
could be spoofed it is in practice very hard to set up a tcp handshake
without a man-in-the-middle position using a foreign ip address.

Of course it can be done at the firewall- this is generally what a firewall
does- but this has drawbacks too as I mentioned. I think this would be a
very good functionality for a web load balancer, especially as I like to
have all this balancing and web request handling stuff in one configuration
place- it is very much overhead to put each and every configuration option
in each of the backend servers- and has security drawbacks too- e.g. there
is a higher risk that some backend is not configured properly as designed
and it means that all requests actually reach the backend servers before
being filtered which they don't if filtering is done at the firewall or at
the balancer/web application firewall.

I know that pound is not a full featured waf but it already has some very
good features to filter requests based on headers and regex matching- we
already use this as a waf-light, if you want so, I know other companies that
run a full featured waf but generally don't have better filtering sets than
we achieve with pound cause administration overhead is sooo large if you
wan't to specify really good filtering rules and it is suspect to many
errors too.

So I think a filtering based on ip/subnet whitelist would generally be a
good idea to implement- possibly with a warning to not use this as the only
security level.

And I don't see that this would be complicating the usage of pound after
all. This directive could be optional just like the URL directive which
means if you don't use it it does not bother you.

regards, Felix

AW: [Pound Mailing List] Allow or Deny access by client ip range
=?utf-8?Q?van_Melis_Jean-Pierre?= <jp(at)mirmana.com>
2013-08-15 14:12:47 [ FULL ]
> Of course it can be done at the firewall- this is generally what a
firewall[...]


Exactly.... That's the job of a firewall


Can you explain these "drawbacks" of using the firewall to do this....?


From a performance/security viewpoint it's a very bad idea to let this get
handled at application level. On Linux one has netfilter which does its job and
does it good and is properly tested and can be enhanced using extra modules.
Attachments:  
text.html text/html 1288 Bytes

AW: [Pound Mailing List] Allow or Deny access by client ip range
"Felix Zachlod" <fz.lists(at)sis-gmbh.info>
2013-08-15 15:09:53 [ FULL ]
> > does- but this has drawbacks too as I mentioned....[...]

Yes of course. The firewall does not know anything about the upper layer
protocols and cannot filter based on a decision e.g. which Path is going tob e
accessed or which virtual host. Which means we have to create different access
locations for different user groups- this leads to a waste of IP adresses and a
complication of the whole configuration. Of course I know that a firewall rule
matching is way faster than a check on the application level but it can do
less. E.g. you could also decide by IP range if a client is forced to use ssl
or is redirected to another service or is forced to a backend which requires
authentication and so on very easyly within an application level gateway. You
are also able to show decent information tot he user why his/her access is not
being granted right now. Performance of this checking is really no problem for
us. We run a clustered pound setup with two virtual machines with each two
virtual cpus. These are far away form being fully utilized let me say they
could at least handle fifty times more users right now although they are doing
ssl offloading and load balancing for around 10 portals with hundreds of users
and although we already have a lots of rules with large regex sets within our
configs.

I don't see the point why a application level gateway like pound should NOT
feature such ip based filtering rule. You are still able to decide yourself if
you want to use it and i fit meets your requirements or not- if you need the
additional performance- decide to do it with your firewall.

Regards, Felix

Re: [Pound Mailing List] Allow or Deny access by client ip range
Emilio Campos <emilio.campos.martin(at)gmail.com>
2013-08-15 19:19:43 [ FULL ]
I totally agree with Felix!


2013/8/15 Felix Zachlod <fz.lists(at)sis-gmbh.info>
[...]

[...]
Attachments:  
text.html text/html 3083 Bytes

MailBoxer