Personal tools
HylaFAX The world's most advanced open source fax server

Using proxy for access control

The challenge was to limit the commands one customer can use on a hylafax server. It should only be possible to use a printer driver, but not another client which will give access to queues, states etc.pp.

So the idea was to limit the commands based on a kind of ftp reverse proxy, since hylafax uses a kind of ftp protocol. It should be possible with ftp-proxy, but threrefore one need to implement new commands.

I implemented a solution with a F5 BigIP and with irules. The interesting part, is that a typical printer driver will use only a subset of commands and so I can whitelist this via irules. The relevant part off the irules is:

 if {!($client_data contains "USER" or $client_data contains "PASS"  or $client_data contains "TYPE"  or $client_data contains "MODE"  or $client_data contains "PASV"  or $client_data contains "STOT" or  $client_data contains "JNEW" or  $client_data contains "JPARM" or  $client_data contains "JSUBM")} {
        TCP::respond "550  command not allowed\r\n";
        reject
      }

This page was last edited on 22 July 2009, at 14:48.

Powered by MediaWiki
Attribution-ShareAlike 2.5

Project hosted by iFAX Solutions