Comware Based

Restrict what IP the web server runs on

 
spgsitsupport
Regular Advisor

Restrict what IP the web server runs on

As I have quite few VLANs, it seeems that SSL web server is listening on each interface

Is there was to restrict it to a single IP?

Thanks

 

Seb

8 REPLIES 8
-Alex-
HPE Pro

Re: Restrict what IP the web server runs on

Hello  spgsitsupport,

What device you are asking for?

Usually this can be done with an ACL restricting traffic to the IP address which you do ont want to be reached on.

Hope this helps!

I am an HPE Employee

Accept or Kudo

spgsitsupport
Regular Advisor

Re: Restrict what IP the web server runs on

HPE 5900AF

How do I craft the ACL to block  https 443 on each interface but one?

I am not worried about the source (yet), just the destination

It would be so much easier/elegant to just specify the IP that web server is to be bound to (ie IP in VLAN 14 and no other)

Thanks

 

Seb

Ivan_B
HPE Pro

Re: Restrict what IP the web server runs on

Hi @spgsitsupport !

Depending on the platform you can create either interface-specific ACL and bound them on each interface or you can create one global ACL that will scan ALL the traffic on all interfaces. Thus, please, specify what device you are asking about. Also the software version will help a lot. If it's a ProCurve (ArubaOS), send us output from 'show version' command, if it's a Comware-based device, use 'display version' command. 

 

I am an HPE employee

Accept or Kudo

spgsitsupport
Regular Advisor

Re: Restrict what IP the web server runs on

Same as per above HPE 5900AF = Comware 7

Ivan_B
HPE Pro

Re: Restrict what IP the web server runs on

If VLAN14 has IP of 192.168.14.1/24, then this should do it:

 

 

system-view
#
acl number 3333
 rule 5 permit tcp source any destination 192.168.14.1 0 destination-port 443
 rule 10 deny tcp source any destination any destination-port 443
 rule 15 permit ip
#
undo ip http enable
undo ip https enable
ip https acl 3333
ip https port 443
ip https enable
#
return

 

 

I am an HPE employee

Accept or Kudo

spgsitsupport
Regular Advisor

Re: Restrict what IP the web server runs on

Seems that https can only have acl from 2000-2999 assigned

[HPE5900-SR1]ip https acl ?
INTEGER<2000-2999> ACL number

and they cannot use permit tcp (only source can be selected)

like per:

https://www.networktasks.co.uk/environments/hp/comware-v5/hardening-comware-5-devices

or

https://community.hpe.com/t5/Comware-Based/Management-ACL-for-HPE-5510/td-p/7067710#.YXE12fI6h5c

but that is not what I want (for now)

[HPE5900-SR1-acl-basic-2314]rule 5 permit tcp
^
% Too many parameters found at '^' position.
[HPE5900-SR1-acl-basic-2314]rule 5 permit ?
counting Specify rule counting
fragment Check fragment packet
logging Log matched packet
source Specify a source address
time-range Specify a special time
vpn-instance Specify VPN-Instance
<cr>

Ivan_B
HPE Pro

Re: Restrict what IP the web server runs on

Yes, seems like you are right, that command accepts only basic ACLs, therefore the available rules are quite limited. You can only use permit/deny without any protocol, it will match all packets. Also you can't use destination and destination-port. Which completely destroys the idea of small and elegant ACL applied specifically on the HTTP/S process.

Ok, then you are left with the option suggested by @-Alex- - "Usually this can be done with an ACL restricting traffic to the IP address which you do ont want to be reached on."

 

I am an HPE employee

Accept or Kudo

spgsitsupport
Regular Advisor

Re: Restrict what IP the web server runs on

OK, but...

Assume client is on Vlan 10, with ACL applied to Vlan10 inbound, I can stop access to webserver of HPE5900 on IP (192.168.21.254) for VLAN 21

rule 3 deny tcp source any destination-port eq 443 destination 192.168.21.254 0.0.0.0

rule 4 for another vlan

rule 5 for yet another vlan

etc

etc

It is an UGLY solution, requring so many "unnecessary" entries in a very long  ACL that must be applied to each VLAN that clients might exists (Staff/Students etc)

Had to make ACL with 21 lines for https port 443 & 21 lines for ssh port 22 lines (one per IP of routed existing VLAN) and apply it to 4 separate VLAN interfaces that clients can be in

If there wass no ACL applied (because I do not need any restrictions on them), it worked fine, on one that already had ACL applied it gave me an error of sorts

 

interface Vlan-interface88
 ip address 192.168.88.254 255.255.255.0
 packet-filter filter route
 packet-filter 3088 inbound
#
return
[HPE5900-SR1-Vlan-interface88] packet-filter 3333 inbound
Failed to apply ACL 3333 to the inbound direction of interface Vlan-interface88 on slot 1, 2, 3, 4.
[HPE5900-SR1-Vlan-interface88]dis thi
#
interface Vlan-interface88
 ip address 192.168.88.254 255.255.255.0
 packet-filter filter route
 packet-filter 3088 inbound
 packet-filter 3333 inbound
#
return

 

But it still shows as inserted into config.

Can multiple ACLs be applied?