You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Michael Wechner <mi...@wyona.org> on 2003/07/22 15:22:40 UTC
[users@httpd] [mod_access] IP range
Hi
Is there a security reason (or another) why you can't specify
an IP range by a first host address and a last host address within
the Allow directive of mod_access?
For instance the range 192.168.0.71 - 192.168.0.72 is quite tricky
to define with network addresses and network masks.
Thanks
Michael
--
Michael Wechner
Wyona Ltd. - Open Source Content Management - Apache Lenya
http://www.wyona.com http://cocoon.apache.org/lenya/
michael.wechner@wyona.com michi@apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] [mod_access] IP range
Posted by Michael Wechner <mi...@wyona.org>.
Jeff Cohen wrote:
>It just doesn't, even IIS does not support this type of range.
>if in IIS you'll specify that range you'll see that it will change it
>from a range to two individual IPs by default.
>
ok. But I think from a user point of view it makes sense to offer such
an option, even if it
might be handled differently on the back side. Or does such a config
option lead to a security
problem?
>That's subnetting, a part of networking - we can't do much about it.
>
I guess I have to read more about subnetting to understand where this
restriction comes from.
Thanks and all the best
Michael
>
>All the best,
>Jeff Cohen
>Support@gej-it.com
>
>-----Original Message-----
>From: Michael Wechner <mi...@wyona.org>
>To: users@httpd.apache.org
>Date: Wed, 23 Jul 2003 16:06:17 +0200
>Subject: Re: [users@httpd] [mod_access] IP range
>
>
>
>>Jeff Cohen wrote:
>>
>>
>>>This called subnetting.
>>>To deny or to allow access to certain hosts in the network, use
>>>
>>>
>>subnetting,
>>
>>
>>>for large networks use super-netting.
>>>You might be able to use: 192.168.0.71/32 192.168.0.72/32
>>>
>>>
>>well, if I understand it correctly then this is the same as
>>
>>192.168.0.71/255.255.255.255 192.168.0.72/255.255.255.255.255 ...
>>
>>but which means I have to specify all the IP numbers within this range.
>>
>>Why doesn't the module support something like
>>"192.168.0.71-192.168.0.72"
>>
>>Thanks
>>
>>Michael
>>
>>
>>
>>
>>>All the best,
>>>Jeff Cohen
>>>Support@GEJ-IT.com
>>>Tel. (416) 917-2324
>>>www.GEJ-IT.com
>>>GEJ-IT Networks!
>>>
>>>
>>>
>>>
>>>
>>>
>>>>-----Original Message-----
>>>>From: Michael Wechner [mailto:michael.wechner@wyona.org]
>>>>Sent: Tuesday, July 22, 2003 9:23 AM
>>>>To: users@httpd.apache.org
>>>>Subject: [users@httpd] [mod_access] IP range
>>>>
>>>>Hi
>>>>
>>>>Is there a security reason (or another) why you can't specify
>>>>an IP range by a first host address and a last host address within
>>>>the Allow directive of mod_access?
>>>>
>>>>For instance the range 192.168.0.71 - 192.168.0.72 is quite tricky
>>>>to define with network addresses and network masks.
>>>>
>>>>Thanks
>>>>
>>>>Michael
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>--
>>>>Michael Wechner
>>>>Wyona Ltd. - Open Source Content Management - Apache Lenya
>>>>http://www.wyona.com http://cocoon.apache.org/lenya/
>>>>michael.wechner@wyona.com michi@apache.org
>>>>
>>>>
>>>>---------------------------------------------------------------------
>>>>The official User-To-User support forum of the Apache HTTP Server
>>>>
>>>>
>>Project.
>>
>>
>>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>>
>>>>
>>>
>>>---------------------------------------------------------------------
>>>The official User-To-User support forum of the Apache HTTP Server
>>>
>>>
>>Project.
>>
>>
>>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>>For additional commands, e-mail: users-help@httpd.apache.org
>>>
>>>
>>>
>>>
>>--
>>Michael Wechner
>>Wyona Ltd. - Open Source Content Management - Apache Lenya
>>http://www.wyona.com http://cocoon.apache.org/lenya/
>>michael.wechner@wyona.com michi@apache.org
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server
>>Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] [mod_access] IP range
Posted by Jeff Cohen <su...@gej-it.com>.
It just doesn't, even IIS does not support this type of range.
if in IIS you'll specify that range you'll see that it will change it
from a range to two individual IPs by default.
That's subnetting, a part of networking - we can't do much about it.
All the best,
Jeff Cohen
Support@gej-it.com
-----Original Message-----
From: Michael Wechner <mi...@wyona.org>
To: users@httpd.apache.org
Date: Wed, 23 Jul 2003 16:06:17 +0200
Subject: Re: [users@httpd] [mod_access] IP range
> Jeff Cohen wrote:
> > This called subnetting.
> > To deny or to allow access to certain hosts in the network, use
> subnetting,
> > for large networks use super-netting.
> > You might be able to use: 192.168.0.71/32 192.168.0.72/32
>
> well, if I understand it correctly then this is the same as
>
> 192.168.0.71/255.255.255.255 192.168.0.72/255.255.255.255.255 ...
>
> but which means I have to specify all the IP numbers within this range.
>
> Why doesn't the module support something like
> "192.168.0.71-192.168.0.72"
>
> Thanks
>
> Michael
>
>
> >
> > All the best,
> > Jeff Cohen
> > Support@GEJ-IT.com
> > Tel. (416) 917-2324
> > www.GEJ-IT.com
> > GEJ-IT Networks!
> >
> >
> >
> >
> >>-----Original Message-----
> >>From: Michael Wechner [mailto:michael.wechner@wyona.org]
> >>Sent: Tuesday, July 22, 2003 9:23 AM
> >>To: users@httpd.apache.org
> >>Subject: [users@httpd] [mod_access] IP range
> >>
> >>Hi
> >>
> >>Is there a security reason (or another) why you can't specify
> >>an IP range by a first host address and a last host address within
> >>the Allow directive of mod_access?
> >>
> >>For instance the range 192.168.0.71 - 192.168.0.72 is quite tricky
> >>to define with network addresses and network masks.
> >>
> >>Thanks
> >>
> >>Michael
> >>
> >>
> >>
> >>
> >>
> >>--
> >>Michael Wechner
> >>Wyona Ltd. - Open Source Content Management - Apache Lenya
> >>http://www.wyona.com http://cocoon.apache.org/lenya/
> >>michael.wechner@wyona.com michi@apache.org
> >>
> >>
> >>---------------------------------------------------------------------
> >>The official User-To-User support forum of the Apache HTTP Server
> Project.
> >>See <URL:http://httpd.apache.org/userslist.html> for more info.
> >>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> " from the digest: users-digest-unsubscribe@httpd.apache.org
> >>For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> Project.
> > See <URL:http://httpd.apache.org/userslist.html> for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
>
>
> --
> Michael Wechner
> Wyona Ltd. - Open Source Content Management - Apache Lenya
> http://www.wyona.com http://cocoon.apache.org/lenya/
> michael.wechner@wyona.com michi@apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] [mod_access] IP range
Posted by Michael Wechner <mi...@wyona.org>.
Jeff Cohen wrote:
> This called subnetting.
> To deny or to allow access to certain hosts in the network, use subnetting,
> for large networks use super-netting.
> You might be able to use: 192.168.0.71/32 192.168.0.72/32
well, if I understand it correctly then this is the same as
192.168.0.71/255.255.255.255 192.168.0.72/255.255.255.255.255 ...
but which means I have to specify all the IP numbers within this range.
Why doesn't the module support something like "192.168.0.71-192.168.0.72"
Thanks
Michael
>
> All the best,
> Jeff Cohen
> Support@GEJ-IT.com
> Tel. (416) 917-2324
> www.GEJ-IT.com
> GEJ-IT Networks!
>
>
>
>
>>-----Original Message-----
>>From: Michael Wechner [mailto:michael.wechner@wyona.org]
>>Sent: Tuesday, July 22, 2003 9:23 AM
>>To: users@httpd.apache.org
>>Subject: [users@httpd] [mod_access] IP range
>>
>>Hi
>>
>>Is there a security reason (or another) why you can't specify
>>an IP range by a first host address and a last host address within
>>the Allow directive of mod_access?
>>
>>For instance the range 192.168.0.71 - 192.168.0.72 is quite tricky
>>to define with network addresses and network masks.
>>
>>Thanks
>>
>>Michael
>>
>>
>>
>>
>>
>>--
>>Michael Wechner
>>Wyona Ltd. - Open Source Content Management - Apache Lenya
>>http://www.wyona.com http://cocoon.apache.org/lenya/
>>michael.wechner@wyona.com michi@apache.org
>>
>>
>>---------------------------------------------------------------------
>>The official User-To-User support forum of the Apache HTTP Server Project.
>>See <URL:http://httpd.apache.org/userslist.html> for more info.
>>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>>For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Michael Wechner
Wyona Ltd. - Open Source Content Management - Apache Lenya
http://www.wyona.com http://cocoon.apache.org/lenya/
michael.wechner@wyona.com michi@apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] [mod_access] IP range
Posted by Jeff Cohen <su...@gej-it.com>.
This called subnetting.
To deny or to allow access to certain hosts in the network, use subnetting,
for large networks use super-netting.
You might be able to use: 192.168.0.71/32 192.168.0.72/32
All the best,
Jeff Cohen
Support@GEJ-IT.com
Tel. (416) 917-2324
www.GEJ-IT.com
GEJ-IT Networks!
> -----Original Message-----
> From: Michael Wechner [mailto:michael.wechner@wyona.org]
> Sent: Tuesday, July 22, 2003 9:23 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] [mod_access] IP range
>
> Hi
>
> Is there a security reason (or another) why you can't specify
> an IP range by a first host address and a last host address within
> the Allow directive of mod_access?
>
> For instance the range 192.168.0.71 - 192.168.0.72 is quite tricky
> to define with network addresses and network masks.
>
> Thanks
>
> Michael
>
>
>
>
>
> --
> Michael Wechner
> Wyona Ltd. - Open Source Content Management - Apache Lenya
> http://www.wyona.com http://cocoon.apache.org/lenya/
> michael.wechner@wyona.com michi@apache.org
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org