HSL IP Policy
The IP Policy extension to the HSL is used when designing IP Policy Flows, operating on IP packets by the ippolicyd process. Only in-bound packets to a service such as a SMTP listener (mail_server__X configuration key) or HTTP service (http_server__X configuration key) that have a configured IP Policy flow are processed by the process. If a scripting error occurs Allow() will be called.
Contents |
Pre-defined variables
These are the read-only pre-defined variables that ippolicyd makes available for each packet that arrives.
| Variable Name | Example | Description |
|---|---|---|
| $senderip | "192.168.1.141" | IP Address of the client |
| $serverip | "10.0.0.1" | IP to which the client connected |
| $serverport | 25 | Port on which the client connected |
| $protocol | "tcp" | "tcp" or "udp" for the client |
| $service | "mailserver:1" | "mailserver:1", "ftp", "ssh" or "httpserver:1" etc. |
| $family | "ipv4" | "ipv4" or "ipv6" |
Context-specific functions
In order to control access to the H/OS 2 appliance, you may use these functions. Core functions such as in_network(), dnsbl() and globalview() are handy when designing IP Policy scripts.
Allow()
If you want to allow a connection, use the function Allow(). This is a final action, the execution of the script will terminate after a final action.
if ($senderip == "10.0.0.100") Allow();
Block($reason)
If you want to block a connection, use the function Block(). This is a final action, the execution of the script will terminate after a final action. The block function may send a reason why it blocked the connection. This is done by passing an array as argument, each line in the array is send separated by "\r\n". For each service different Block messages may be appropriate to match the protocol.
// Normal Quiet Block
Block();
// SMTP Block
Block("421 We think this is spam. If not contact us by phone.");
// HTTP Block
Block(array(
"HTTP/1.0 200 OK",
"Content-Type: text/html",
"",
"<html>",
"<head>",
"<title>Access Denied</title>",
"</head>",
"<body>",
"<i>IP ($senderip) blocked</i>",
"</body>",
"</html>"
));
Code examples
Normally, black and whitelisting can be performed using the pre-defined flow blocks on the IP Policy tab, but can also be manually coded:
$whitelist = array("10.0.0.2", "10.0.0.3");
if (in_array($senderip, $whitelist) Allow();
$blacklist = array("10.0.0.4", "10.0.0.5");
if (in_array($senderip, $blacklist) Block();
Global network functions like GlobalView (globalview) and DNSBL (dnsbl) can, and are normally, executed inside the IP Policy flow:
switch(globalview($senderip)) {
case "permfail":
echo "Blocking connection from $senderip: 421 $senderip blocked by GlobalView";
Block("421 We think this is spam: $senderip blocked by GlobalView");
break;
case "tempfail":
echo "Blocking connection from $senderip: 421 $senderip temporary blocked by GlobalView";
Block("421 $senderip temporary blocked by GlobalView");
break;
}
