AppLogic24 Web
AppLogic 2.4 Documentation The latest production release is AppLogic 3.0.30 IN: Input Gateway Appliance
Latest version: 2.4.1  | At a Glance | |
|---|---|---|
| Catalog | System | |
| Category | Gateways | |
| User volumes | no | |
| Min. memory | 64 MB | |
| OS | Linux | |
| Constraints | no | |
| Questions/Comments | Ask Forum | |
Functional overview
IN is an input gateway that provides a firewalled entry point for network traffic into an application. IN accepts all allowed incoming traffic on its external interface and passes it through itsout terminal. IN forwards only the traffic explicitly allowed through configuration of its firewall properties; IN discards all disallowed traffic.
IN supports up to 4 incoming interfaces (protocol/pair combinations), such as http, ssh, etc. By default, IN allows only tcp port 80 (http).
IN is used to accept all network traffic for applications. All external traffic must pass through an IN gateway to access any resources or services within an application.
Boundary
Resources
| Resource | Minimum | Maximum | Default |
|---|---|---|---|
| CPU | 0.05 | 4 | 0.05 |
| Memory | 64 MB | 2 GB | 64 MB |
| Bandwidth | 1 Mbps | 2 Gbps | 200 Mbps |
Terminals
| Name | Dir | Protocol | Description |
|---|---|---|---|
out | out | any | Sends all traffic out to the destination address and receives the responses |
mon | out | cce | Sends performance and resource usage statistics |
external interface is enabled. It is used for incoming traffic. The external interface is configured through the properties listed in the following sections.
The default interface is enabled. It is used for maintenance (incoming ssh connections).
User Volumes
NoneProperties
Base Configuration
The following property group defines the base network settings for the gateway.| Property name | Type | Description |
|---|---|---|
ip_addr | IP Address | Defines the IP address of the external interface. This property is mandatory. |
netmask | IP address | Defines the network mask of the external interface. This property is mandatory. |
gateway | IP address | Defines the gateway for the external interface. Default is empty (no gateway). |
Firewall Configuration
The following property group defines the firewall settings for the gateway. There are two filters that can be used together: by source IP address (allowed_hosts and denied_hosts) and by protocol/port (ifaceX). Up to four protocol/port pairs (interfaces) can be configured.
If all parameters are left to their defaults, no traffic will be allowed. To allow traffic in, configure at least the iface1_protocol and iface1_port values.
| Property name | Type | Description |
|---|---|---|
allowed_hosts | String | List of hosts and/or subnets allowed to connect. Separate multiple entries with spaces or commas. Supported format example: 192.168.1.2 192.168.1.0/24 192.168.2.0/255.255.255.0. Default: 0.0.0.0/0 (all allowed) |
denied_hosts | String | List of hosts and/or subnets to be denied connection. The format is the same as for allowed_hosts. Default: (empty) (none denied) |
iface1_protocol | String | Protocol to allow. Options: none, tcp (default), udp |
iface1_port | String | Port numbers or port ranges to allow. Accepts a string of comma or space-separated values. Port ranges must be specified as lower_port:higher_port with colon or dash as a separator (e.g., 80,81,82:85 86-90). Default: 80 (http) Prior to AppLogic 2.4.7, only single port numbers were supported. |
iface2_protocol | String | Protocol to allow. Options: none (default), tcp, udp |
iface2_port | String | Port numbers or port ranges to allow. Accepts a string of comma or space-separated values. Port ranges must be specified as lower_port:higher_port with colon or dash as a separator (e.g., 80,81,82:85 86-90). Default: 0 (disabled) Prior to AppLogic 2.4.7, only single port numbers were supported. |
iface3_protocol | String | Protocol to allow. Options: none (default), tcp, udp |
iface3_port | String | Port numbers or port ranges to allow. Accepts a string of comma or space-separated values. Port ranges must be specified as lower_port:higher_port with colon or dash as a separator (e.g., 80,81,82:85 86-90). Default: 0 (disabled) Prior to AppLogic 2.4.7, only single port numbers were supported. |
iface4_protocol | Integer | IP Protocol number to allow (e.g., 6 for TCP, 47 for GRE). See http://www.iana.org/assignments/protocol-numbers. Default: 0 (disabled) |
iface4_port | String | Port numbers or port ranges to allow. Accepts a string of comma or space-separated values. Port ranges must be specified as lower_port:higher_port with colon or dash as a separator (e.g., 80,81,82:85 86-90). Used only if the selected IP protocol has port numbers (e.g., udp and tcp); must be set to 0 for all other protocols. Setting this property to 0 for tcp or udp protocols will allow all ports. Default: 0 Prior to AppLogic 2.4.7, only single port numbers were supported. |
The iface4 filter can be configured to allow incoming protocols other than tcp and udp.
All 4 interfaces can be configured independently; there is no requirement to have interface 1 and 2 in order to have 3. In particular, iface4 can be configured even if iface3 is not.
The port number for iface4 has slightly different behavior from the other port numbers. Setting iface4_port to 0 means that the port number is not going to be checked (works both for protocols that simply don't have port numbers, like GRE, and for tcp and udp). Setting iface{1,2,3}_port disables the interface (equivalent to setting the protocol to none).
Error Messages
The following messages may appear in either the appliance log file or the system log of the grid controller when the appliance fails to start:- failed to start iptables
- Failed to set up rules (exit code code); using backup rule set
- Failed to set up backup rule set (exit code code)
Typical Usage
Simple Input Firewall
The following diagram shows a typical usage of IN for a simple web server application:
Summary of Parts
-
in1- input gateway -
web1- apache web server appliance
in1 accepts HTTP requests on its external interface and passes them to web1 through its out terminal.
The web1 appliance used in this example is not shipped with AppLogic. However, AppLogic does provide a similar appliance named WEB.
Example:
| Property name | Value | Notes |
|---|---|---|
ip_addr | 192.168.1.1 | IP address of the external interface |
netmask | 255.255.255.0 | Network mask for the external interface |
gateway | 192.168.1.254 | Gateway for the external interface |
iface1_protocol | tcp | Allow TCP traffic... |
iface1_port | 80 | ...only on port 80 (http) |
Advanced Firewall
In this example, the gateway is configured to allow the HTTP and HTTPS protocols, as well as the PPTP protocol (used by MS Windows VPN). Example:| Property name | Value | Notes |
|---|---|---|
ip_addr | 192.168.1.1 | IP address of the external interface |
netmask | 255.255.255.0 | Network mask for the external interface |
gateway | 192.168.1.254 | Gateway for the external interface |
iface1_protocol | tcp | Allow TCP traffic... |
iface1_port | 80 | ...on port 80 (http) |
iface2_protocol | tcp | Allow TCP traffic... |
iface2_port | 443 | ...on port 443 (https) |
iface3_protocol | tcp | Allow TCP traffic for the PPTP control connection... |
iface3_port | 1723 | ...on port 1723 (VPN) |
iface4_protocol | 47 | Allow GRE traffic for the PPTP encapsulation |
iface4_port | 0 | (not used) |
iface4 for the GRE protocol. It is OK to fill iface4 even if lower-numbered interfaces are not filled in.
Notes
- If a host is present, directly or as part of a subnet, both in the
allowed_hostsand in thedenied_hostslists, it will be denied access. IN first rejects all denied hosts and then allows only those in allowed hosts (standard security practice).
- IN is not used for accessing external services by the application. Applications access external services (outgoing traffic) through OUT and NET gateways.
-
iface4_protocolhas not been tested with protocols other than tcp and udp (due to lack of appliances supporting GRE or other non-tcp/udp protocol).
Related Documents
Questions and Comments
To post a question or comment on this appliance, visit our forum.
-- PeterNic - 31 Dec 2005
 |
|
Copyright © CA 2005-2011. All Rights Reserved.