Browse
 
Tools
Rss Categories

Manager Access Control List

Reference Number: AA-02101 Views: 924 0 Rating/ Voters

Using the Access Control List (ACL) with LumenVox Manager can help eliminate unwanted traffic connecting to the LumenVox manager, which is what hosts the web-based Dashboard management interface.

The ACL implemented by the manager provides IP address filtering (like a firewall) to selectively permit or deny access based on the IP address of the incoming connection. By default, the ACL allows access to all IP addresses without restriction.

You can modify the ACL by editing the ACCESS_CONTROL_LIST setting in the manager.conf configuration file.


Specifying Multiple IP Address Ranges

One useful feature of the manager's ACL is the ability to specify a number of IP addresses or address ranges for access inclusion or exclusion. When using multiple ranges, these should be in the form of a comma separated list.

For example, if you wanted to only allow access to IP Address 192.168.55.101 and 192.168.55.102 to the Dashboard's web interface, you could specify this as follows:

ACCESS_CONTROL_LIST = +192.168.55.101,+192.168.55.102

Note that the + marks at the beginning of each IP address explicitly permit these IP addresses. Also note that once an ACL is specified, all other IP addresses and ranges will automatically be excluded. This means that after making this change (and restarting the Manager service), only those two IP addresses would be able to access the Dashboard. All other IP addresses and ranges would be rejected, receiving no response at all from the manager.

In addition to individual IP Addresses, you can specify a range of IP addresses in a number of ways, such as:

ACCESS_CONTROL_LIST = +192.168/16

...this would permit only those addresses in the 192.168/16 subnet

or:

ACCESS_CONTROL_LIST = +192.168.0.0/8

...this would only permit those addresses in the 192.168/8 subnet

To learn more about subnet masks, read the following Wikipedia Page on Subnetwork

 

Whitelist Entries

A whitelist is a collective term for a range of IP addresses that are permitted access to the manager/Dashboard. When an ACL is added to the configuration, you can specify the IP address or range of IP addresses to permit access, by adding a "+" in front of the entry.

All of the above are examples of specifying a whitelist, since they all have the "+" at the beginning of each entry.

Remember that specifying any ACL will automatically mean that all other IP addresses and ranges not mentioned will be excluded, this includes the loopback or localhost address, if it is not specified.

 

Blacklist Entries

A blacklist is a collective term for a range of IP addresses that are not permitted access to the manager/Dashboard. When an ACL is added to the configuration, you can specify the IP address or range of IP addresses to explicitly deny access, by adding a "-" in front of the entry.

Note that in versions up to and including LumenVox 14.1, blacklist entries (with the minus sign at the beginning) are NOT implemented. Instead, the use of whitelist entries is relied on - any IP address or range that is not specified in the whitelist is implicitly denied access. The only exception to this is the default setting where no ACL is specified - this means that all IP addresses and ranges are permitted by default.


Denied Access Logging

By default, any IP addresses that are denied access that attempt to access the manager's Dashboard will be rejected and a log message will be recorded in the manager_http_error.txt file in the logs folder. Entries for IP addresses that are denied access will look something like this, indicating the timestamp as well as the IP address being denied (192.168.55.41 in this case):

[1450214181] [error] [client 0.0.0.0] accept_new_connection: 192.168.55.41 is not allowed to connect

Note that these errors will be logged regardless of the configuration of the HTTP_LOGGING setting in manager.conf, which should allow you to diagnose any connectivity issues you encounter.