You only want to give specified remote Internet users access to your network (or your single machine, if only one machine is connected to the Internet).

If the remote users have static IP addresses, there is no problem. You simply BLOCK all access to specific services on your network with either IPNetSentry or IPNetRouter, then "punch holes" in these filters to PASS the specified remote users with static IP addresses.

BUT, what do you do when remote users have dynamic IP addresses? (which is often the case) In this situation you cannot simply punch holes in your firewall filters because you never know the exact IP address of the remote user.

This is the function of a new feature in IPNetSentry (v1.3.8 or later) when used in conjunction with the IPNetAuthorize client: providing authorized access to remote users who have dynamic IP addresses.

1. You must have IPNetSentry v1.3.8 or later installed.

2. Turn OFF IPNetSentry with the IPNetSentry Companion.

3. Open the IPNetSentry Config file with SimpleText (or BBEdit, etc.). Choose a port for which you wish to use for authorization. Many ISPs intentionally block incoming traffic on ports below 1024, so you might wish to choose a port above this range. For this example we will assume we have chosen port 2525.

4. Add the following line to your IPNetSentry Config file (right below the #set/payload_inspection commands):

#set\password\\2525\trythis\Password Access\\600

The above command will authorize a remote user who comes in on UDP Port 2525 using the Password "trythis". Access will be permitted for 600 seconds. When access is granted, the alert will display "Password Access" as the service.

The general syntax of the #set\password command is:

#set\password\interface\port\password_string\service_string\notification\access_time

If no interface is specificed, the default interface will be used (as setup in the TCP/IP control panel)

If no notification is provided, the default IPNetSentry notification mechanism will be used.

5. IF you are not running IPNetRouter, then you will need to add the BLOCK service filters in the IPNetSentry Config file. For example, let's say you are running a web server on Port 80 and a mail server on Ports 25 and 110. BUT you only want authorized remote users to have access to this server. You need to block ALL access to these servers, which can be done with the following filter commands in the IPNetSentry Config file:

+filter\Default_Interface\Rcv\Block\tcp\*\*\*\*\25\
+filter\Default_Interface\Rcv\Block\tcp\*\*\*\*\80\
+filter\Default_Interface\Rcv\Block\tcp\*\*\*\*\110\

Another approach is to just block ALL tcp ports below 1024, e.g.:

+filter\Default_Interface\Rcv\Block\tcp\*\*\*\*\1-1023\

IF you ARE running IPNetRouter, you can add similar filters directly through the IPNetRouter Filter window.

6. Save the IPNetSentry Config file and close it. Turn ON IPNetSentry.

7. On a remote machine, download and install the appropriate IPNetAuthorize client for your remote platform:

IPNetAuthorize Client for Mac OS X

IPNetAuthorize Client for Classic Mac OS

IPNetAuthorize Client for Windows (95, Me, NT, 2000, XP)

8. Launch the IPNetAuthorize client on the remote machine. Enter the destination (IP address or Domain Name), Port (2525 in our example), and password ("trythis" in our example). Click the "Authorize" button. IPNetSentry should recognize the incoming datagram and insert a PASS filter for this specific IP address. This filter will expire in 600 seconds (as set in our example #set/password command).

Notes

- You cannot use the same password simultaneously from two different remote IP addresses. Using the same password more than once will automatically remove any existing PASS filters which were invoked by that same password. This is a security feature. For example, say your PPP connection dropped during your session. You then reconnect to your dial-up ISP, and are assigned a new IP address. You then re-authorize using the IPNetAuthorize client. Your re-authorization would automatically drop the existing PASS filter for your previous PPP connection.

- Unauthorization can only be performed by the aged filter timeout mechanism. While this has some limitations, it also ensures that unattended access will always timeout.

- There is NO encryption performed by IPNetAuthorize nor IPNetSentry. Hence this solution is not a general replacement for virtual private networks (VPNs). In many cases, however, users are not so concerned about data encryption as they are about unauthorized access to their server(s) or network.

Other Uses

There are situations when you might also wish to limit access to services on internal LAN machines. For example, say that you want to give LAN clients universal access to web and email services. But only one machine on the LAN at a time should have general access for all other services (webcasts, streaming audio, etc.). You can easily do this with IPNetRouter, IPNetSentry, and IPNetAutorize.

First you would add the filters to IPNetRouter which prevent access to all services below port 1024. You would then punch holes in this main blocking filter to give access to essential services such as HTTP, POP, SMTP, DNS, DHCP (if needed).

Then, in the IPNetSentry Config file you would add a #set\password command to permit access by any one of the client machines to all services:

#set\password\Ethernet slot J9\2525\trythis\Password Access\\600

Note that we have specified the interface on which this password command will be set (we are assuming our private LAN is connected to the Ethernet slot J9 port).

In this manner only one of the client machines at a time will have access to all services. In addition, when any client machine requests such access, you will have a log of this event in this IPNetSentry Log file.

Please send questions, comments, or suggestions using our general requests form:

http://www.sustworks.com/site/sup_questions.html

Top

Back to IPNetSentry Application Notes