HSL IP Policy Functions

From Halon Security

(Redirected from HSL/ACL/Functions)
Jump to: navigation, search

The IP Policy extension to the HSL is used when designing IP Policy Flows, operating on IP packets by the ippolicyd process.

Contents

IP Policy Functions

In order to control access to the H/OS 2 appliance, you may use these functions. Functions in the core component, such as in_network(), dnsbl() and globalview() are handy when designing IP Policy scripts.

Allow()

If you want to allow a connection, use the function Allow(). This is a final action, the execution of the script will terminate after a final action. 

if ($senderip == "10.0.0.100") Allow();

Block($reason)

If you want to block a connection, use the function Block(). This is a final action, the execution of the script will terminate after a final action. The block function may send a reason why it blocked the connection. This is done by passing an array as argument, each line in the array is send separated by "\r\n". For each service different Block messages may be appropriate to match the protocol. 

// Normal Quiet Block
Block();

// SMTP Block
Block("421 We think this is spam. If not contact us by phone.");

// HTTP Block
Block(array(
  "HTTP/1.0 200 OK",
  "Content-Type: text/html",
  "",
  "<html>",
  "<head>",
  "<title>Access Denied</title>",
  "</head>",
  "<body>",
  "<i>IP  ($senderip) blocked</i>",
  "</body>",
  "</html>"
 ));


Code examples

Normally, black and whitelisting can be performed using the pre-defined flow blocks on the IP Policy tab, but can also be manually coded: 

$whitelist = array("10.0.0.2", "10.0.0.3");
if (in_array($senderip, $whitelist) Allow();

$blacklist = array("10.0.0.4", "10.0.0.5");
if (in_array($senderip, $blacklist) Block();

Global network functions like GlobalView (globalview) and DNSBL (dnsbl) can, and are normally, executed inside the IP Policy flow: 

switch(globalview($senderip)) {
	case "permfail":
		echo "Blocking connection from $senderip: 421 $senderip blocked by GlobalView";
		Block("421 We think this is spam: $senderip blocked by GlobalView");
	break;
	case "tempfail":
		echo "Blocking connection from $senderip: 421 $senderip temporary blocked by GlobalView";
		Block("421 $senderip temporary blocked by GlobalView");
	break;
}
Retrieved from "http://wiki.halonsecurity.com/HSL_IP_Policy_Functions"
Personal tools