Managing Service Control Rules

Axigen Documentation

For each service, a list of "Allow Rules" and a list of "Deny Rules" must exist, prioritized, as for the listener. For each allowed rule, flow control parameters may be defined. "Access Rules" can be of two types (Allow/Deny) and may be defined on the following levels:

  • listener

  • service

Listener Access Rules take precedence, if both a listener-level rule and a service-level rule match an incoming connection, the listener-level rule will apply.

Access Rules are described by a set of 2 parameters (host:ip/range/subnet - action:allow/deny/service rule). "Service rule" means practically that the listener rule will be disregarded and further checks will be made based on service level rules. "Service rule" can be selected as an action ONLY for the "host:any" access rule.

Example:

Access Control rules for the SMTP Receiving module

Service Level: Use the options under "Service Level" to specify a set of rules for allowing specific IP addresses on the currently configured service. To edit/delete any of the already defined rules, hit their corresponding "Edit" or "Delete" buttons, on the right hand side of the listener. To add a new rule use the "Add Rule" button.

Editing or adding a new rule will result in displaying the same configuration fields: the action to be taken for connections made through the configured parameter (choose between allowing or denying them the access) and the type of the connections the specified action will apply to (connections from single IP, an entire IP range, or Network/Mask).

Use the drop-down menus to select the allowed/denied connections and fill in the corresponding IP values. To enable the newly-configured rule check the box in front of the "Enable this rule" option, then hit the "Save rule" button.

Further use the up and down arrows (next to the "Delete" button) to set priorities between the rules and click the "Flow Control" button in order to enforce global access limitations to the rule, using the same options as the ones described in the section below. All TCP services have created by default a rule allowing any IP address.

Flow control

Flow Control can be enforced per:

  • listener;

  • service;

  • listener-level allow rule;

  • service-level allow rule.

For the listener "Flow Control" parameters a check-box is available, which will make all definable boxes grey on selection and put zero values on all parameters, with the explanation that enabling this disregards all the limits on listener level and will enforce the ones on service level.

The per-listener configuration always has priority over the service configuration. In other words, for access lists, an "Access Rule" or a "Flow Control" that matches a certain connection, defined for a listener will always be stronger than any rule defined on the service level, if the last one also is matched.

If all "Flow Control" parameters are of zero value on listener level, then if a connection matches, the parameters of the service level will be enforced. If at least one of the parameters on listener level is set (differs from zero) then the connection that matches will be enforced by ALL the parameters from this level, i.e. all subsequent matches from service level are disregarded (even for the parameters that were zero in listener level).

Within the "Flow Control" section, you can enforce global access limitations to this listener by setting the maximum number of: simultaneous connections, concurrent connections from each remote IP address, new connections to the listener made in a defined time period and maximum connections from each remote IP address in a defined time interval. The default time interval is set to 1 minute.

Use the up and down arrows and drop-down menus to specify the desired parameters and values.

After making the configurations click the "Save Configuration" button to preserve your changes.