In the following, we give you a rather short summary of configurations we recommend when using TCP/IP.
IP access configuration can be performed using HELIOS Admin or using an editor. The “Admin solution” is much easier and more convenient. For more details, please read 4.6 “HELIOS TCP/IP security overview”, and also ipaccess in 6.8 “HELIOSDIR/var/conf”.
If you modify the “ipaccess” configuration file directly, this does not require performing “stop-helios” followed by “start-helios”. HELIOS Base will read the configuration file on every login.
“HELIOSDIR/var/conf/ipaccess” lists those IP addresses and domains that are allowed to connect to the specified host. This file may contain the following statements:
allow ipaddr/mask deny ipaddr/mask allowdomain domain denydomain domain
If the file is empty – or not present at all – access is allowed to any client, which would correspond to:
(allow 0.0.0.0/0.0.0.0).
The IP address 0.0.0.0 with the mask 0.0.0.0 matches any address, it is thus a good idea to use the statement:
deny 0.0.0.0/0.0.0.0
as the last line in the access file and only explicitly allow access to selected networks or IP numbers. You can grant access to the class C net 192.9.200 only using the following statements:
allow 192.9.200.0/255.255.255.0 deny 0.0.0.0/0.0.0.0
The mask (255.255.255.0 in the example) specifies the significant bits that are to be compared against the IP number. If no mask is specified, it is assumed to be 255.255.255.255, meaning that it will match the number exactly. The example:
allow 192.9.200.1 deny 0.0.0.0/0.0.0.0
will thus allow access to a single machine only, namely to 192.9.200.1.
The IP address can also be specified as a normal host name, it must then be resolvable through the configured name service, e.g. DNS or NIS. If DNS or NIS is properly configured to resolve host names, you can also use domain-based access controls.
The statement:
denydomain hacker.com
will deny access to any IP number that resolves to a host
name that ends with the domain hacker.com. The
allowdomain
statement works the other way round:
allowdomain company.com deny 0.0.0.0/0.0.0.0
would allow access to any machine that uses an IP address that resolves to a host name ending in company.com.
The domain-based access controls do cause a reverse lookup for the host name of every IP address that is used to connect to the server. If you use any IP addresses that do not have reverse mapping, time-outs might occur that slow down establishing a connection to the server. Please note that anybody who owns the reverse mapping of a set of IP addresses can specify arbitrary domains in his reverse DNS mapping, not only his own domains.
The following error message may occur if the search domain is not set in the network settings of the host:
"Can’t get IP-Address for hostname (%s). Please check network configuration. Error (%d)."