Comware

 View Only
last person joined: yesterday 

Expand all | Collapse all

Restrict what IP the web server runs on

This thread has been viewed 0 times
  • 1.  Restrict what IP the web server runs on

    Posted Oct 21, 2021 05:27 AM

    As I have quite few VLANs, it seeems that SSL web server is listening on each interface

    Is there was to restrict it to a single IP?

    Thanks

     

    Seb


    #Commware


  • 2.  RE: Restrict what IP the web server runs on

    EMPLOYEE
    Posted Oct 21, 2021 05:33 AM

    Hello  spgsitsupport,

    What device you are asking for?

    Usually this can be done with an ACL restricting traffic to the IP address which you do ont want to be reached on.

    Hope this helps!



  • 3.  RE: Restrict what IP the web server runs on

    Posted Oct 21, 2021 05:37 AM

    HPE 5900AF

    How do I craft the ACL to block  https 443 on each interface but one?

    I am not worried about the source (yet), just the destination

    It would be so much easier/elegant to just specify the IP that web server is to be bound to (ie IP in VLAN 14 and no other)

    Thanks

     

    Seb



  • 4.  RE: Restrict what IP the web server runs on

    EMPLOYEE
    Posted Oct 21, 2021 07:01 AM

    If VLAN14 has IP of 192.168.14.1/24, then this should do it:

     

     

    system-view
    #
    acl number 3333
     rule 5 permit tcp source any destination 192.168.14.1 0 destination-port 443
     rule 10 deny tcp source any destination any destination-port 443
     rule 15 permit ip
    #
    undo ip http enable
    undo ip https enable
    ip https acl 3333
    ip https port 443
    ip https enable
    #
    return

     

     



  • 5.  RE: Restrict what IP the web server runs on

    Posted Oct 21, 2021 07:23 AM

    Seems that https can only have acl from 2000-2999 assigned

    [HPE5900-SR1]ip https acl ?
    INTEGER<2000-2999> ACL number

    and they cannot use permit tcp (only source can be selected)

    like per:

    https://www.networktasks.co.uk/environments/hp/comware-v5/hardening-comware-5-devices

    or

    https://community.hpe.com/t5/Comware-Based/Management-ACL-for-HPE-5510/td-p/7067710#.YXE12fI6h5c

    but that is not what I want (for now)

    [HPE5900-SR1-acl-basic-2314]rule 5 permit tcp
    ^
    % Too many parameters found at '^' position.
    [HPE5900-SR1-acl-basic-2314]rule 5 permit ?
    counting Specify rule counting
    fragment Check fragment packet
    logging Log matched packet
    source Specify a source address
    time-range Specify a special time
    vpn-instance Specify VPN-Instance
    <cr>



  • 6.  RE: Restrict what IP the web server runs on

    EMPLOYEE
    Posted Oct 21, 2021 07:47 AM

    Yes, seems like you are right, that command accepts only basic ACLs, therefore the available rules are quite limited. You can only use permit/deny without any protocol, it will match all packets. Also you can't use destination and destination-port. Which completely destroys the idea of small and elegant ACL applied specifically on the HTTP/S process.

    Ok, then you are left with the option suggested by @-Alex- - "Usually this can be done with an ACL restricting traffic to the IP address which you do ont want to be reached on."

     



  • 7.  RE: Restrict what IP the web server runs on

    Posted Oct 21, 2021 08:27 AM

    OK, but...

    Assume client is on Vlan 10, with ACL applied to Vlan10 inbound, I can stop access to webserver of HPE5900 on IP (192.168.21.254) for VLAN 21

    rule 3 deny tcp source any destination-port eq 443 destination 192.168.21.254 0.0.0.0

    rule 4 for another vlan

    rule 5 for yet another vlan

    etc

    etc

    It is an UGLY solution, requring so many "unnecessary" entries in a very long  ACL that must be applied to each VLAN that clients might exists (Staff/Students etc)

    Had to make ACL with 21 lines for https port 443 & 21 lines for ssh port 22 lines (one per IP of routed existing VLAN) and apply it to 4 separate VLAN interfaces that clients can be in

    If there wass no ACL applied (because I do not need any restrictions on them), it worked fine, on one that already had ACL applied it gave me an error of sorts

     

    interface Vlan-interface88
     ip address 192.168.88.254 255.255.255.0
     packet-filter filter route
     packet-filter 3088 inbound
    #
    return
    [HPE5900-SR1-Vlan-interface88] packet-filter 3333 inbound
    Failed to apply ACL 3333 to the inbound direction of interface Vlan-interface88 on slot 1, 2, 3, 4.
    [HPE5900-SR1-Vlan-interface88]dis thi
    #
    interface Vlan-interface88
     ip address 192.168.88.254 255.255.255.0
     packet-filter filter route
     packet-filter 3088 inbound
     packet-filter 3333 inbound
    #
    return

     

    But it still shows as inserted into config.

    Can multiple ACLs be applied?

     



  • 8.  RE: Restrict what IP the web server runs on

    EMPLOYEE
    Posted Oct 21, 2021 06:23 AM

    Hi @spgsitsupport !

    Depending on the platform you can create either interface-specific ACL and bound them on each interface or you can create one global ACL that will scan ALL the traffic on all interfaces. Thus, please, specify what device you are asking about. Also the software version will help a lot. If it's a ProCurve (ArubaOS), send us output from 'show version' command, if it's a Comware-based device, use 'display version' command. 

     



  • 9.  RE: Restrict what IP the web server runs on

    Posted Oct 21, 2021 06:35 AM

    Same as per above HPE 5900AF = Comware 7