Page Created :
qpid :
Firewall Configuration
Firewall Configuration has been created by Aidan Skinner (Apr 22, 2009). Content:ConfigurationThe access restrictions apply either to the server as a whole or too a particular virtualhost. Rules are evaluated in the virtualhost first, then the server as a whole (most-specific to least-specific). This allows whole netblocks to be restricted from all but one virtualhost. A <firewall> element would appear in either the <broker><security> section or inside the equivalent <virtualhost><security> element. Elements inside <firewall> would be <rule> or <xml file="path"/> which can be used to include further rules at that point in the rule chain. <rule> must have action and either hostname or network attributes. The action attribute must be either allow or deny. Host contains a comma seperated list of <a href="">regexps</a> against which it would match the reverse dns lookup of the connecting IP. Network contains a comma seperated list of of CIDR networks against which the IP would be matched. The first <rule> which matched the connection would apply. If no rules applied, the default-action would apply. For example, the following could appear in config.xml: <firewall default-action="" class="code-quote">"deny"> <rule permission="allow" hostname="*.qpid.apache.org"/> <xml file="/path/to/file" /> <rule permission="allow" network="192.168.1.0/24" /> <rule permission="allow" network="10.0.0.0/8" /> </firewall > [...] <virtualhosts> <virtualhost> <name>prod</name> <prod> <security> <firewall> <rule permission="deny" network="192.168.1.0/24"/> </firewall> </security> </prod> </virtualhost> </virtualhosts> any machine in the qpid.apache.org domain could access dev. Changes would be possible while broker was running via commons-configuration magic when the file is editted. Existing connections would be unaffected by a new rule. |
Unsubscribe or edit your notifications preferences