PMDF System Manager's Guide


Previous Next Contents Index

14.3 The PORT_ACCESS Mapping: Security Rule Sets and User Domains

The PORT_ACCESS mapping can be used to cause PMDF to classify incoming connections into different security rule sets and into different user domains.

Security rule sets provide a way of having connection based security differentiation. For instance, a site might want to use different security mechanisms for connections from "internal" vs. "external" sources.

A site using the PMDF popstore, (which supports multiple user domains ---multiple sets of users with possibly overlapping user names), might also want to authenticate (independent of authentication mechanism) against different sets of user profiles, for instance, "student" profiles vs. "faculty" profiles, depending upon the incoming connection; such sets of user profiles are known as user domains.

For background information on the PMDF mapping file, see Chapter 5; for an introduction to the PORT_ACCESS mapping in particular, see Section 11.5.

The format of a PORT_ACCESS entry specifying a security rule set is:


PORT_ACCESS 
 
 ...    $Ysecurity-rules-set-name
 
and the format of a PORT_ACCESS entry specifying both a security rule set and a user domain is:


PORT_ACCESS 
 
  ...   $Ysecurity-rules-set-name|user-domain
 

For instance, Example 14-10 shows a sample PORT_ACCESS mapping that assigns incoming connections according to server port number to security rule sets named POP-RULES, and IMAP-RULES. Example 14-11 shows a sample PORT_ACCESS mapping that assigns incoming connections from IP addresses in the 192.160.253.* subnet to an INTERNAL security rule set, while assigning all other incoming connections to an EXTERNAL security rule set.

Example 14-12 shows a sample PORT_ACCESS mapping that sorts incoming connections into two user domains, VIP and LABRAT, and into INTERNAL and EXTERNAL security rule sets. This server is assumed to have two IP addresses (via multi-homing or two interface cards), 192.160.253.60 and 192.160.253.61, and selects the user domain based on that. The PORT_ACCESS mapping entries shown specify that users in the VIP user domain are allowed to connect to any port (send or read mail) from external systems, whereas users in the LABRAT user domain, while they can connect to the SMTP port to send mail from external systems, are not allowed to connect to POP or IMAP servers to read mail from external systems.

Example 14-10 PORT_ACCESS Mapping for Security Rule Set Based on Server Port Number

PORT_ACCESS 
 
  TCP|*|110|*|*   $YPOP-RULES 
  TCP|*|143|*|*   $YIMAP-RULES 
 

Example 14-11 PORT_ACCESS Mapping for Security Rule Set Based on Source IP Address

PORT_ACCESS 
 
  TCP|*|*|$(192.160.253.0/24)|*   $YINTERNAL 
  TCP|*|*|*|*                     $YEXTERNAL 
 

Example 14-12 PORT_ACCESS Mapping for Distinguishing User Groups

PORT_ACCESS 
 
  TCP|192.160.253.60|*|$(192.160.253.0/24)|*  $YINTERNAL|VIP 
  TCP|192.160.253.60|*|*|*                    $YEXTERNAL|VIP 
  TCP|192.160.253.61|*|$(192.160.253.0/24)|*  $YINTERNAL|LABRAT 
  TCP|192.160.253.61|25|*|*                   $YEXTERNAL|LABRAT 
  TCP|*|*|*|*                                 $N 
 

Note that the PORT_ACCESS mapping table, being part of the PMDF mapping file, is part of a compiled PMDF configuration. If you are using a compiled PMDF configuration, you will need to recompile and reinstall it after making changes to the PORT_ACCESS mapping table. Also, after changes to the PORT_ACCESS mapping table the PMDF Dispatcher should be restarted with the pmdf restart dispatcher command.


Previous Next Contents Index