Examples - Access List samples

Examples
Access List samples

In all following examples we'll suppose that:

Proxy+ runs on computer with IP address 192.168.0.1. We'll call this computer the server.
computers on local network use IP addresses in range from 192.168.0.0 to 192.168.0.255, subnet is then 192.168.0.0/255.255.255.0.
we'll call the computer with IP address 192.168.0.10 as PC1.
lists of Access List Objects and Access List Rules are empty.
using of Access List Rules is enabled (Access List/General in Proxy+'s settings).

We will use ALO instead Access List Object and ALR instead of Access List Rule.

List of basic examples:
1) How to deny access only for one PC - ClientIP example.
1b) How to deny access only for selected PCs - ClientIP example.
1c) How to deny all access from Internet (allow only local stations) - InterfaceIP example.
2) How to allow access only for one PC - ClientIP example.
3) How to allow deny for one PC in specified time range - ClientIP and Time example.
4) How to enable use of HTTP Proxy service only (other services are not allowed) - ServiceName example.
5) How to allow access only to the specified URL in defined time range - LocalInt, Time and URL example.
6) How to use hidden authentication feature - pass example.
7) How to allow access to the Admin interface for one PC only - ClientIP, AdminURL example.

List of extended examples:
1) Complicated example -:). See example description - ClientIP, Time, ContentType and ServiceName example.

Basic example 1

Description:
We want to deny access to all Proxy+ services for PC1.

Definition of ALOs:
We'll create ALO and we'll name it PC1. ClientIP will be type of this ALO and IP address of PC1 will be its parameter, which is 192.168.0.10.

Following line will appear in the list of ALOs (Defined objects) if defined correctly:
PC1=ClientIP;192.168.0.10

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
deny PC1

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Basic example 1b

Description:
We want to deny access to all Proxy+ services for PCs with IP addresses from 192.168.0.10 to 192.168.0.20.

Definition of ALOs:
We'll create ALO and we'll name it PCS. ClientIP will be type of this ALO and IP address range will be its parameter. I.e. parameter will be 192.168.0.10-192.168.0.20.

Following line will appear in the list of ALOs (Defined objects) if defined correctly:
PCS=ClientIP;192.168.0.10-192.168.0.20

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
deny PCS

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Basic example 1c

Description:
We want to deny all access from Internet. In another words we want to use Access List to secure Proxy+.

Definition of ALOs:
We'll create ALO and we'll name it LocalInt. InterfaceIP will be type of this ALO and IP address of PC with Proxy+ will be its parameter. I.e. parameter will be 192.168.0.1. It is IP of netcard through which the request of LAN station goes to this PC. Another requests (requests from Internet) go through another interfaces such that we can easily eliminate such requests.

Following line will appear in the list of ALOs (Defined objects) if defined correctly:
LocalInt=InterfaceIP;192.168.0.1

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
deny !LocalInt

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Note: If you want to disable all request from Internet sources it is much better to use Security settings instead of Access List.

Basic example 2

Description:
We want to deny access to all Proxy+ services for all computers except PC1.

Definition of ALOs:
We'll create ALO and we'll name it PC1. ClientIP will be type of this ALO and IP address of PC1 will be its parameter, which is 192.168.0.10.

Following line will appear in the list of ALOs (Defined objects) if defined correctly:
PC1=ClientIP;192.168.0.10

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
deny !PC1

The "!" character at the beginning of ALO name makes the rule valid everytime when the access comes from computer with IP address different from 192.168.0.10.

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Alternate solution:
This example can be solved by redefinition of the ALO which is used in the ALR then.

Definition of ALOs:
We'll create ALO and we'll name it NPC1. ClientIP will be type if this ALO and negation of IP address of PC1 will be its parameter, which is !192.168.0.10.
The "!" character makes the ALO valid only if it's compared to an IP address different from 192.168.0.10.

Following line will appear in the list of ALOs (Defined objects) if defined correctly:
PC1=ClientIP;!192.168.0.10

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
deny NPC1

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Basic example 3

Description:
We want to deny access to all Proxy+ services for PC1 in time between 7:30 am and 5:00 PM.

Following lines will appear in the list of ALOs (Defined objects) if defined correctly:
PC1=ClientIP;192.168.0.10
TIME=Time;07:30-17:00

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
deny PC1 TIME

This combination of PC1 and TIME ALOs makes the rule valid only if the request comes from computer with IP 192.168.0.10 in time between 7:30 am and 5:00 PM.

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Basic example 4

Description:
We want to allow access to HTTP Proxy service only for all computers.

Definition of ALOs:
We'll create ALO and we'll name it HTTPProxy. ServiceName will be type of this ALO and text "HTTP" will be its parameter.

Following lines will appear in the list of ALOs (Defined objects) if defined correctly:
HTTPProxy=ServiceName;HTTP

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
deny !HTTPProxy

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Basic example 5

Description:
We want:

to allow access to WWW server www.company.com during working hours (from 7:00 am to 3:30 PM). Everything is allowed for local computers out of this time.
to deny access to Proxy+ services for all non local computers.

Definition of ALOs:
We'll create ALO and we'll name it LocalInt. InterfaceIP will be type of this ALO and IP address of interface through which requests can come will be its parameter, which is 192.168.0.1.
Next we'll create ALO and we'll name it TIME. Time will be type of this ALO and time range will be its parameter, which is 7:30-15:30.
Next we'll create ALO and we'll name it Address. URL will be type of this ALO and text "www.company.com" will be its parameter.

Following lines will appear in the list of ALOs (Defined objects) if defined correctly:
LocalInt=InterfaceIP;192.168.0.1
TIME=Time;07:00-15:30
Address=URL;www.company.com

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
deny !LocalInt
deny LocalIP !Address TIME

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Basic example 6

Description:
We want to complete requests from computer PC1 with username and password when accessing documents on WWW server.
URL addresses of secret documents starts with: www.server.com/secret

Username is: user
Password is: passwd1

Note: This feature can be used to add username/password to the requests without client knowledge. In another words - the client needn't to know username nor password. Only system administrator knows them.

Following lines will appear in the list of ALOs (Defined objects) if defined correctly:
PC1=ClientIP;192.168.0.10
Secret=URL;http://www.server.com/secret
Password=Parameter;user:passwd1

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
pass PC1 Secret Password

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Basic example 7

Description:
We want to allow access to Proxy+'s WWW Admin interface only for PC1.

Definition of ALOs:
We'll create ALO and we'll name it PC1. ClientIP will be type of this ALO and IP address of PC1 will be its parameter, which is 192.168.0.10.
We'll create ALO and we'll name it Admin. AdminURL will be type of this ALO and '*' will be its parameter.

Following line will appear in the list of ALOs (Defined objects) if defined correctly:
PC1=ClientIP;192.168.0.10
Admin=AdminURL;*

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
deny !PC1 Admin

or you can use following longer definition too:

allow PC1 Admin
deny Admin

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Extended example 1

Description:
We want:

to deny access to all Proxy+ services for all non local IP addresses (especially for those on the Internet)
to allow access to HTTP Proxy, FTP Proxy and FTP Gateway services for all local computers during working hours (from 7:00 am to 3:30 PM). Access is denied on Saturday and Sunday too.
to allow reading ordinary WWW files (text pages and images) for all local computers.
to allow everything for PC1 which is used by company director and thus it's not restricted by previous rules.

Definition of ALOs:
We'll create ALO and we'll name it PC1. ClientIP will be type of this ALO and IP address of PC1 will be its parameter, which is 192.168.0.10.
Next we'll create ALO and we'll name it LocalIP. ClientIP will be type of this ALO and list of local IPs will be its parameter, which is 192.168.0.0/255.255.255.0.
Next we'll create ALO and we'll name it Proxy. ServiceName will be type of this ALO and list of allowed services will be its parameter, which is text "HTTP, FTP, FTPG".
Next we'll create ALO and we'll name it TIME. Time will be type of this ALO and time range will be its parameter, which is 7:30-15:30.
Next we'll create ALO and we'll name it SaSu. Time will be type of this ALO and specification of weekend days will be its parameter, which is text "Saturday, Sunday".
Finally we'll create ALO and we'll name it Content. ContentType will be type of this ALO and list of allowed file type will be its parameter, which is text "text/*, image/*".

Following lines will appear in the list of ALOs (Defined objects) if defined correctly:
LocalIP=ClientIP;192.168.0.0/255.255.255.0
PC1P=ClientIP;192.168.0.10
Proxy=ServiceName;HTTP,FTP,FTPG
TIME=Time;07:00-15:30
SaSu=Time;Saturday,Sunday
Content=ContentType;text/*,image/*

Definition of ALRs:
We'll type following line into Access List Rules on page Access List/Rules:
allow PC1
deny !LocalIP
deny LocalIP !TIME
deny LocalIP !Proxy
deny LocalIP SaSu
deny LocalIP !Content

ALRs can be specified as following too:
allow PC1
deny !LocalIP
deny !TIME
deny !Proxy
deny SaSu
deny !Content

It's possible because we filtered out IP addresses of computers with specific access rights on first two lines, so no computer with IP different from those defined in LocalIP can reach rules on line 3 and further and thus it's possible to skip LocalIP in definition of those ALRs.

Finally we'll save new list of ALRs by pressing Save button and then we'll restart Proxy+.

Related Links:
Art04113 - I can't access the P+ due to incorrect Access List settings