HELIOS Base UB2 User manual (Version 3.0.0)  
 

B IP configuration – Reference Part

In the following, we give you a rather short summary of configurations we recommend when using TCP/IP.

Access control via addresses and domains (under UNIX)

IP access configuration can be performed using HELIOS Admin or using an editor. The “Admin solution” is much easier and more convenient. For more details, please read 4.6 “HELIOS TCP/IP security overview”, and also ipaccess in 6.8 “HELIOSDIR/var/conf”.

If you modify the “ipaccess” configuration file directly, this does not require performing “stop-helios” followed by “start-helios”. HELIOS Base will read the configuration file on every login.

“HELIOSDIR/var/conf/ipaccess” lists those IP addresses and domains that are allowed to connect to the specified host. This file may contain the following statements:

        allow ipaddr/mask 
        deny ipaddr/mask 
        allowdomain domain 
        denydomain domain

If the file is empty – or not present at all – access is allowed to any client, which would correspond to:

        (allow 0.0.0.0/0.0.0.0).

The IP address 0.0.0.0 with the mask 0.0.0.0 matches any address, it is thus a good idea to use the statement:

        deny 0.0.0.0/0.0.0.0

as the last line in the access file and only explicitly allow access to selected networks or IP numbers. You can grant access to the class C net 192.9.200 only using the following statements:

        allow 192.9.200.0/255.255.255.0 
        deny 0.0.0.0/0.0.0.0

The mask (255.255.255.0 in the example) specifies the significant bits that are to be compared against the IP number. If no mask is specified, it is assumed to be 255.255.255.255, meaning that it will match the number exactly. The example:

        allow 192.9.200.1 
        deny 0.0.0.0/0.0.0.0

will thus allow access to a single machine only, namely to 192.9.200.1.

The IP address can also be specified as a normal host name, it must then be resolvable through the configured name service, e.g. DNS or NIS. If DNS or NIS is properly configured to resolve host names, you can also use domain-based access controls.

The statement:

        denydomain hacker.com

will deny access to any IP number that resolves to a host name that ends with the domain hacker.com. The allowdomain statement works the other way round:

        allowdomain company.com 
        deny 0.0.0.0/0.0.0.0 

would allow access to any machine that uses an IP address that resolves to a host name ending in company.com.

The domain-based access controls do cause a reverse lookup for the host name of every IP address that is used to connect to the server. If you use any IP addresses that do not have reverse mapping, time-outs might occur that slow down establishing a connection to the server. Please note that anybody who owns the reverse mapping of a set of IP addresses can specify arbitrary domains in his reverse DNS mapping, not only his own domains.

Error messages

The following error message may occur if the search domain is not set in the network settings of the host:

        "Can’t get IP-Address for hostname (%s). Please check 
        network configuration. Error (%d)."

HELIOS Website © 2011 HELIOS Software GmbH  
HELIOS Manuals May 17, 2013