phex security rules not working?

f00bar · #1 (**permalink**) March 5th, 2006

I've been trying to configure phex to communicate only with a certain list of IP addresses. That is, I'm trying to get phex to only work with a whitelist of IPs.

I tried the following security rules:

DENY network mask 0.0.0.0/255.255.255.255
ALLOW network range x.x.0.0-x.x.255.255

However, after applying these rules, I'm still able to connect to servers outside the allowed IP range, and I'm also to download from hosts outside of the range.

Could someone please tell me what I'm doing wrong?

Thanks.

f00bar · #2 (**permalink**) March 6th, 2006

I've also tried setting the blocked range to 0.0.0.0-255.255.255.255 and my client still connects to anything.

GregorK · #3 (**permalink**) March 6th, 2006

I will check this...

it might be that the rules are only checked when collecting IPs... meaning when they first enter Phex from any network source.
...but already collected and cached IPs might not be checked again before a connection attempt is made...

f00bar · #4 (**permalink**) March 6th, 2006

Quote:

Originally posted by GregorK
I will check this...

it might be that the rules are only checked when collecting IPs... meaning when they first enter Phex from any network source.
...but already collected and cached IPs might not be checked again before a connection attempt is made...

I just built the latest version from CVS to test this issue. I deleted all the files in my phex configuration directory (~/.phex) and and created a new security.xml with a rule as follows:

Code:

        <ip-access-rule>
            <description>Deny all.</description>
            <isDenyingRule>true</isDenyingRule>
            <isDisabled>false</isDisabled>
            <triggerCount>0</triggerCount>
            <expiryDate>9223372036854775807</expiryDate>
            <isDeletedOnExpiry>false</isDeletedOnExpiry>
            <addressType>3</addressType>
            <ip>00000000</ip>
            <compareIP>FFFFFFFF</compareIP>
        </ip-access-rule>

Starting phex results in no connections. However, if I activate Ultrapeer mode, the security rule is bypassed and all connections are allowed.

f00bar · #5 (**permalink**) March 6th, 2006

I spoke too soon. Even after clearing the host cache, it appears that some hosts are able to connect.

GregorK · #6 (**permalink**) March 6th, 2006

It looks like the host creep in through the UDP host cache code. It is fairly new and I not yet had a chance to review it deeply.

I filed this bug report in case you like to monitor it.
http://sourceforge.net/tracker/index...21&atid=388892

I do my best to have it fixed for the next release.

Thanks for this nice observation, testing and reporting.

Gregor

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Outpost Firewall - Phex Rules?	moloch88	Help & Support	3	December 31st, 2006 10:36 AM
Phex security	e@t@r00t	General Discussion	0	July 10th, 2005 01:13 AM
Security Rules?	rjpear	General Discussion	12	February 20th, 2005 01:23 PM
Send your ideas for a new Phex Security Concept	GregorK	General Discussion	0	November 21st, 2002 01:52 AM
phex not working well	ken481	General Discussion	0	March 30th, 2002 05:23 AM