- Community Home
- >
- Networking
- >
- Switching and Routing
- >
- Comware Based
- >
- Restrict what IP the web server runs on
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2021 02:26 AM - last edited on 10-21-2021 06:47 AM by support_s
10-21-2021 02:26 AM - last edited on 10-21-2021 06:47 AM by support_s
Restrict what IP the web server runs on
As I have quite few VLANs, it seeems that SSL web server is listening on each interface
Is there was to restrict it to a single IP?
Thanks
Seb
- Tags:
- Commware
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2021 02:33 AM
10-21-2021 02:33 AM
Re: Restrict what IP the web server runs on
Hello spgsitsupport,
What device you are asking for?
Usually this can be done with an ACL restricting traffic to the IP address which you do ont want to be reached on.
Hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2021 02:37 AM - edited 10-21-2021 02:40 AM
10-21-2021 02:37 AM - edited 10-21-2021 02:40 AM
Re: Restrict what IP the web server runs on
HPE 5900AF
How do I craft the ACL to block https 443 on each interface but one?
I am not worried about the source (yet), just the destination
It would be so much easier/elegant to just specify the IP that web server is to be bound to (ie IP in VLAN 14 and no other)
Thanks
Seb
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2021 03:23 AM
10-21-2021 03:23 AM
Re: Restrict what IP the web server runs on
Hi @spgsitsupport !
Depending on the platform you can create either interface-specific ACL and bound them on each interface or you can create one global ACL that will scan ALL the traffic on all interfaces. Thus, please, specify what device you are asking about. Also the software version will help a lot. If it's a ProCurve (ArubaOS), send us output from 'show version' command, if it's a Comware-based device, use 'display version' command.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2021 03:34 AM
10-21-2021 03:34 AM
Re: Restrict what IP the web server runs on
Same as per above HPE 5900AF = Comware 7
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2021 04:01 AM - edited 10-21-2021 04:01 AM
10-21-2021 04:01 AM - edited 10-21-2021 04:01 AM
Re: Restrict what IP the web server runs on
If VLAN14 has IP of 192.168.14.1/24, then this should do it:
system-view
#
acl number 3333
rule 5 permit tcp source any destination 192.168.14.1 0 destination-port 443
rule 10 deny tcp source any destination any destination-port 443
rule 15 permit ip
#
undo ip http enable
undo ip https enable
ip https acl 3333
ip https port 443
ip https enable
#
return
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2021 04:23 AM - edited 10-21-2021 04:26 AM
10-21-2021 04:23 AM - edited 10-21-2021 04:26 AM
Re: Restrict what IP the web server runs on
Seems that https can only have acl from 2000-2999 assigned
[HPE5900-SR1]ip https acl ?
INTEGER<2000-2999> ACL number
and they cannot use permit tcp (only source can be selected)
like per:
https://www.networktasks.co.uk/environments/hp/comware-v5/hardening-comware-5-devices
or
https://community.hpe.com/t5/Comware-Based/Management-ACL-for-HPE-5510/td-p/7067710#.YXE12fI6h5c
but that is not what I want (for now)
[HPE5900-SR1-acl-basic-2314]rule 5 permit tcp
^
% Too many parameters found at '^' position.
[HPE5900-SR1-acl-basic-2314]rule 5 permit ?
counting Specify rule counting
fragment Check fragment packet
logging Log matched packet
source Specify a source address
time-range Specify a special time
vpn-instance Specify VPN-Instance
<cr>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2021 04:47 AM - edited 10-21-2021 05:02 AM
10-21-2021 04:47 AM - edited 10-21-2021 05:02 AM
Re: Restrict what IP the web server runs on
Yes, seems like you are right, that command accepts only basic ACLs, therefore the available rules are quite limited. You can only use permit/deny without any protocol, it will match all packets. Also you can't use destination and destination-port. Which completely destroys the idea of small and elegant ACL applied specifically on the HTTP/S process.
Ok, then you are left with the option suggested by @-Alex- - "Usually this can be done with an ACL restricting traffic to the IP address which you do ont want to be reached on."
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-21-2021 05:27 AM - edited 10-21-2021 06:25 AM
10-21-2021 05:27 AM - edited 10-21-2021 06:25 AM
Re: Restrict what IP the web server runs on
OK, but...
Assume client is on Vlan 10, with ACL applied to Vlan10 inbound, I can stop access to webserver of HPE5900 on IP (192.168.21.254) for VLAN 21
rule 3 deny tcp source any destination-port eq 443 destination 192.168.21.254 0.0.0.0
rule 4 for another vlan
rule 5 for yet another vlan
etc
etc
It is an UGLY solution, requring so many "unnecessary" entries in a very long ACL that must be applied to each VLAN that clients might exists (Staff/Students etc)
Had to make ACL with 21 lines for https port 443 & 21 lines for ssh port 22 lines (one per IP of routed existing VLAN) and apply it to 4 separate VLAN interfaces that clients can be in
If there wass no ACL applied (because I do not need any restrictions on them), it worked fine, on one that already had ACL applied it gave me an error of sorts
interface Vlan-interface88
ip address 192.168.88.254 255.255.255.0
packet-filter filter route
packet-filter 3088 inbound
#
return
[HPE5900-SR1-Vlan-interface88] packet-filter 3333 inbound
Failed to apply ACL 3333 to the inbound direction of interface Vlan-interface88 on slot 1, 2, 3, 4.
[HPE5900-SR1-Vlan-interface88]dis thi
#
interface Vlan-interface88
ip address 192.168.88.254 255.255.255.0
packet-filter filter route
packet-filter 3088 inbound
packet-filter 3333 inbound
#
return
But it still shows as inserted into config.
Can multiple ACLs be applied?