powered by Jive Software

Only allow insecure connections from certain IP range?

Short version: We need secure connections from clients enforced, EXCEPT from a very small IP range - is this possible?

Long version: We definitely want secure connections from clients to server. We’‘re looking for a secure client for Treos, however, which can do background SSL. Such a monster doesn’‘t currently exist, so an alternate would be to use a VPN, but on the insecure port. The connections will always come from the same IP, or at least IP range, and we’‘d like to limit insecure connections from that small range. Can we fine-tune Wildfire’'s security policy to this degree?

-Paul

Are you sure such a client dosnt exist? Ive never bothered to try Jabber on mine, but I think there are some non-free apps out there that can do jabber with SSL.

I dont think Wildfire can do that currently (feature request?).

Another option outside the scope of Wildfire directly on unix is to use stunnel, or some other tcp proxy with ssl abilities. Basicly, set up stunnel from inetd (or xinetd) to listen on 5222 (or some other port if you wish) and have it encrypt and forward to 5223. Generally you set this up in reverse to secure an unsecure server, but it can work in reverse just as well. You can then use tcpwrapers (tcpd) to then restrict it from certain IP’'s. (http://www.stunnel.org/)

Keep in mind that a complete hack like this makes for a lot of overhead going back and forth between SSL and non-SSL. Also, unless your VPN endpoint is on a trusted network segment connected to the Wildfire server, you loose most of the benifits of SSL (perhaps an acceptable risk for some), and if you are willing to do that, maybe you just want to allow non encrypted clients in.

Our wildfire server is behind a firewall.

And we are using some firewall rules to do this, for example:

10.0.0.1 - 10.0.0.254 -> all incoming connections on SSL Port

10.0.1.1 - 10.0.1.254 -> non SSL-Port

Perhaps some behavior could be defined with ipchains on the wildfire server to limit the ip-rage that ist using the non-SSL port.

Regards

Marc

I work with Paul; let me expound a bit on the problem. Perhaps we’'re simply having a misunderstanding.

As I understand what’'s happening, we have two basic choices for secure connections to Wildfire: “Old” or “Legacy” SSL, which connects on port 5223, and TLS, which makes an insecure connection on port 5222 and issues the “StartTLS” command to secure the connection.

If we wanted to support the “Legacy SSL” version, this is would be pretty easy: We’'d tell the Wildfire server to accept insecure connections, and then firewall 5222 off so that only the VPN could get to it.

The problems with this approach are 1) we don’‘t want to support a “Legacy” protocol that may go away someday and 2) we can’'t get GAIM to actually connect using SSL on 5223.

So, then, if we rule out using “Legacy SSL” on 5223, how do we restrict what clients can connect securely or insecurely on 5222? As far as I can tell, there’‘s no mechanism to allow that. The stunnel idea might work, though; if performance were an issue (and I doubt it would be since we’'re talking about maybe 4 clients using this mechanism) we could even run it on another machine.

But, yes, a neat feature would be an ability to say “Everything except this IP range must connect securely.”

-Brett