HELIOS Base User manual

A 2 IP configuration – Reference Part

In the following, we give you a rather short summary of configurations we recommend when using TCP/IP.

Access
control via
addresses and domains
(under UNIX)

IP access configuration can be performed under UNIX using the EtherShare Admin or PCShare Admin programs, or using an editor such as vi. The "Admin solution" is much easier and more convenient. For more details, please read 4.5 "HELIOS TCP/IP security overview", and also
ipaccess in 5.8 "HELIOSDIR/var/conf".

If you modify the "ipaccess" configuration file directly this does not require performing "stop-helios" followed by "start-helios". HELIOS Base will read the configuration file on every login.

"HELIOSDIR/var/conf" lists those IP addresses and domains who are allowed to connect to the specified host. This file may contain the following statements:

allow ipaddr/mask
deny ipaddr/mask
allowdomain do.main
denydomain do.main

If the file is empty - or not present at all - access is allowed to any client, which corresponds to:

(allow 0.0.0.0/0.0.0.0).

The IP address 0.0.0.0 with the mask 0.0.0.0 matches any address, it is thus a good idea to use the statement:

deny 0.0.0.0/0.0.0.0

as the last line in the access file and only explicitly allow access to selected networks or IP numbers. You can grant access to the class C net 192.9.200 only using the following statements:

allow 192.9.200.0/255.255.255.0
deny 0.0.0.0/0.0.0.0

The mask (255.255.255.0 in the example) specifies the significant bits that are to be compared against the IP number. If the mask is not specified, it is assumed to be 255.255.255.255, meaning that it will match the number exactly. The example:

allow 192.9.200.1
deny 0.0.0.0/0.0.0.0

will thus allow access to a single machine only, namely to 192.9.200.1.

The IP address can also be specified as a normal host name, it must then be resolvable through the configured name service, e.g. DNS or NIS. If DNS or NIS is properly configured to resolve host names, you can also use domain-based access controls.

The statement:

denydomain hacker.com

will deny access to any IP number that resolves to a host name that ends with the domain hacker.com. The allowdomain statement works the other way round:

allowdomain company.com
deny 0.0.0.0/0.0.0.0

would allow access to any machine that uses an IP address that resolves to a host name ending in company.com.

The domain-based access controls do cause a reverse lookup for the host name of every IP address that is used to connect to the server. If you use any IP addresses that do not have reverse mapping, time-outs might occur that slow down establishing a connection to the server. Please note that anybody who owns the reverse mapping of a set of IP addresses can specify arbitrary domains in his reverse DNS mapping, not only his own domains.

Error messages

The following error message may occur if the search domain is not set in the network settings of the host:

"Can't get IP-Address for hostname (%s). Please check network configuration. Error (%d)."