Hello! > -----Ursprüngliche Nachricht----- > Von: Emilio Campos [mailto:[email protected]] > Gesendet: Montag, 12. August 2013 20:41 > An: [email protected] > Betreff: Re: [Pound Mailing List] Allow or Deny access by client ip range > > That I know there isn't support for this, but some member of the list > developed a patch that was not added. > > http://www.apsis.ch/pound/pound_list/archive/2011/2011- > 04/1303208639000/index_html?fullMode=1
Thanks for the hint. So it seems it does not work right now. But the suggested patch does not help directly as we'd need a whitelist and not a blacklist. While I think blacklists are not very helpful in general to achieve some good level of security I disagree with what Robert was writing. Of course there should be some security constraints at the application level but I don't see a point why one should not combine this with security in the network. Of course one needs some kind of authentication- authorization- model in the application- but why not limit the people or systems that are allowed to talk to the application at all. While it is generally true that the source ip address is not abolutely safe for filtering requests cause it could be spoofed it is in practice very hard to set up a tcp handshake without a man-in-the-middle position using a foreign ip address. Of course it can be done at the firewall- this is generally what a firewall does- but this has drawbacks too as I mentioned. I think this would be a very good functionality for a web load balancer, especially as I like to have all this balancing and web request handling stuff in one configuration place- it is very much overhead to put each and every configuration option in each of the backend servers- and has security drawbacks too- e.g. there is a higher risk that some backend is not configured properly as designed and it means that all requests actually reach the backend servers before being filtered which they don't if filtering is done at the firewall or at the balancer/web application firewall. I know that pound is not a full featured waf but it already has some very good features to filter requests based on headers and regex matching- we already use this as a waf-light, if you want so, I know other companies that run a full featured waf but generally don't have better filtering sets than we achieve with pound cause administration overhead is sooo large if you wan't to specify really good filtering rules and it is suspect to many errors too. So I think a filtering based on ip/subnet whitelist would generally be a good idea to implement- possibly with a warning to not use this as the only security level. And I don't see that this would be complicating the usage of pound after all. This directive could be optional just like the URL directive which means if you don't use it it does not bother you. regards, Felix -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
