This topic aims to provide a more detailed look at the addresses page of the various Services within FTGate. Specifically, how adding an IP address or a range effects access to the services, and some of the benefits of adding IPs to the field(s) on addresses pages. We will also look at how the different fields interact with each other.
The main benefit of the addresses page is that it can be used to increase security of the services in the following ways:
Define LAN IP addresses
Allows non LAN IP addresses access to the service
Blocks defined IP addresses from accessing the service
So to explain how these work:
By adding an IP address or range to 'The following addresses are from local domains' field, those IPs will be allowed unrestricted access to the service with no security look up carried out, e.g. MAPS RBL (if enabled) other than the defined user name and password.
Although the addresses in the 'The following addresses are from local domains' field do not have to be from just the LAN, they can be from anywhere. By defining them here they would be treated as local or friendly.
Having defined a range of IP addresses, you may wish to block access from a specific machine or a department which has a smaller range within the larger range defined in 'The following addresses are from local domains' field. To do this you would simply define the machine IP address or the range in this field.
The aim of this example is to detail how to:
Add a class "B" IP range to allow access to a service
Block two specific IP addresses from accessing a service
Block the whole of a class "B" address range from accessing a service
This is achieved by following these steps:
Add the class "B" IP range 192.168.x.x subnet 255.255.0.0 to 'The following addresses are from local domains' field
Add two specific IP addresses, 192.168.0.26 & 192.168.0.169 both with the subnet mask 255.255.255.255 to the 'Refuse connections from the following addresses' field
Add the Class "C" address range 192.168.1.x subnet 255.255.255.0 to the 'Refuse connections from the following addresses' field
This will allow access to the whole of the Class "B" IP address range except for those IP addresses defined in the 'Refuse connections from the following addresses' field. This can be adapted for any configuration of IP addresses and/or ranges by defining them in the specific field.