Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved


Chapter 6 Network Filters : Overview

Overview
Network filters are used to define where the inbound traffic to a Gateway Server will be coming from based on the IP address or based on the trading partners.
Using Filtering
The property bc.ipfilter.enabled can be used to enable or disable IP filtering. If disabled (check box unchecked), no filtering takes place at any level and all incoming requests will be allowed to pass with any remote IP address. If enabled (check box checked), then every incoming request will be evaluated as follows:
DENY   If there is no matching filter expression regardless of type Deny or Accept AND the default policy is Deny.
DENY   If there is at least one filter expression that matches the address and is of type Deny.
ACCEPT   If there is no matching filter expression regardless of type Deny or Accept AND the default policy is Accept.
ACCEPT   If there is no matching filter expression of type Deny AND there is at least one matching filter expression of type Accept.
Filtering Levels
Network filters can perform two levels of filtering:
First level of filtering, where IP addresses are specified, takes precedence over the second level of filtering.
First Level Filtering
The first level of filtering is used to deny or accept an IP address. It is exercised for the inbound HTTP or FTPS traffic. It decides whether certain messages will be denied or accepted and then passed to the Interior Server.
The first level of filtering is performed only when the From Participant field, as required for the second level of filtering, is not specified.
 
You can also define the first level filtering by expanding BusinessConnect > System Settings > Activated Protocol Plug-ins and Properties > BC, and then looking for the entry bc.ipfilter.default.noMatchPolicy.
From the menu select the Default IP Filter Policy:
Based on this selection, the default first level filtering will either deny or accept the traffic from a certain IP address if no existing (and active) rules have matched the address.
 
Second Level Filtering
The second level filtering using the field From Participant is exercised on the Interior Server only for FTPS transports. It is performed before user authentication and during on login for FTPS.
Filter Expressions
Only one filter expression can be created with a single filter entry and can match the remote IP addresses directly, or can define any arbitrary ranges with a specific pattern syntax.
IPv4 canonical textual representation: N1.N2.N3.N4 where N1-4 are segments between 0 and 255 inclusive.
Matching Patterns
Here are some examples of matching patterns to use:
1.2.3.4    Matches the IPv4 address 1.2.3.4 directly. Any other address on this pattern will be non-matching.
1.2.3.*    Matches all the IPv4 addresses between 1.2.3.0 and 1.2.3.255 inclusive, a total of 256 addresses.
1.2.3.4-12    Matches all the IPv4 addresses between 1.2.3.4 and 1.2.3.12 inclusive, a total of 9 addresses.
1.2.3-5.*    Matches all the IPv4 addresses between 1.2.3.0 and between 1.2.5.255, a total of 768 addresses.
1.2.*    Matches all the IPv4 addresses between 1.2.0.0 and 1.2.255.255, a total of 65,536 addresses.
Any combination of ranges (n1-n2) and wildcards * are allowed for a different segment. The expression *.*.*.* can be used to match every possible IPv4 address.
If the pattern doesn't specify every segment, they are canonicalized so that they match every address for the given segments' range.

Copyright © TIBCO Software Inc. All Rights Reserved
Copyright © TIBCO Software Inc. All Rights Reserved