Help on Security Configuration


Overview of security

Fire Door uses a comprehensive security model which can be tailored to almost any need. At the heart of the model are two lists of IP address/port pairs which determine which hosts can, or can not, be linked together. These two lists are called the "allow" and "deny" lists.

When a new connection is to be established the "deny" list is checked and if a match is made, the connection is refused. If no match is made in the "deny" list then the "allow" list is checked and a match must be found or, again, the connection is refused.

A connection match is determined by comparing the source and destination IP addresses and ports with the address/port pairs in the "allow" and "deny" lists. The source is compared against the left hand IP address/port and the destination against the right hand IP/port. This match may be identical or use wildcard matching.

Each list contains entries which consist of two IP addresses and two port numbers - one IP address and port number on the left, and one IP address and port number on the right. Each entry indicates a connection which is "allowed" or "denied" by the Fire Door security model. For example, the IP address pair:

10.0.2.1:80  129.5.2.3:80

indicates that port 80 on the machine with the IP address 10.0.2.1 is allowed, or denied, connection with port 80 with the machine which has the IP address 129.5.2.3.

The special character string "*" can be used as a wildcard specify groups of IP addresses or ports. For example, the IP address pair:

10.*.*.*:80  :  *.*.*.*:*

indicates that port 80 any machine with an IP address of the form 10.x.x.x is allowed, or denied, connection with any port on any machine.


Adding restrictions

Security restrictions can be added to the Restriction List using the form on the Security Configuration page.

To add an entry to the "deny" list, enter the left and right hand sides of the restriction into the empty text field with the text "Deny" next to it.

To add an entry to the "allow" list, enter the left and right hand sides of the restriction into the empty text field with the text "Allow" next to it. Note that the numbers next to the "Allow" are simply placeholders for the IP/port pairs.

Press the button labelled "Accept", and a new page will be displayed confirming that the new restriction has been added. Use "Back" button on your browser to redisplay the Security Page and confirm that the new restriction appears in the list. It may be necessary to use the "Reload" button on your browser to display the new list.


Removing restrictions

Security restrictions can be removed from the list by clearing the text in the text field corresponding to the restriction.

Press the button labelled "Accept", and a new page will be displayed confirming that the restriction has been removed. Use "Back" button on your browser to redisplay the Security Page and confirm that the restriction has been removed. It may be necessary to use the "Reload" button on your browser to display the new list.


Changing restrictions

Security restrictions can be altered once they have been created by simply editing the IP/port number pairs in the appropriate text field.

Once the text has been changed, press the button labelled "Accept", and a new page will be displayed confirming that the restriction has been changed. Use "Back" button on your browser to redisplay the Security Page and confirm that the new restriction appears in the list. It may be necessary to use the "Reload" button on your browser to display the new list.


$Revision: 1.7 $ $Date: 1996/06/13 13:26:58 $