Chapter 9: Limiting Access to RealProxy
In this chapter, you'll learn how you can restrict access to certain clients based on their IP addresses.
Overview
You can block or permit access to specific RealProxy ports based on the IP address of the client and the port to which they are sending their requests. Clients whose IP addresses are configured with "deny" receive an error message indicating that the URL is not valid or that the connection has timed out.
For example, you can restrict which clients can send requests to your RealProxy by restricting access to the RTSP Proxy port (usually 554).
Information about each IP address or range of addresses you want to allow or restrict is stored in a rule. A rule is a set of instructions to RealProxy about the address range and behavior to allow. Rules are identified by numbers which you assign.
Each rule contains the following information:
- Access Rule Number—Identification number for this rule.
- Access—Whether the client will be allowed or denied access.
- Client IP Address—Client's address, or a range of addresses.
- Client Netmask—Client's netmask.
- Server IP Address—RealProxy's address.
- Ports—Port numbers to which access is specified.
When a client attempts to play a RealProxy presentation, RealProxy compares the client's address and the requested port to the addresses and ports listed in the rules.
Before using this feature, you must make decisions about the types of rules you will create. You can create as many rules as you like.
Creating Rules
There are two ways you can restrict access, and these determine how you set up the rules.
- Specific Address Denial—Deny a specific group of IP addresses and ports, and allow access to everyone else.
- Specific Address Permission—Allow a specific group of IP addresses and ports, and deny access to everyone else.
When you create a rule, you give it a number. RealProxy uses these numbers to sort the rules before it looks at a client's request. You do not have to create the rules in a certain order; RealProxy will perform the sorting automatically.
RealProxy compares the client's IP address and requested port to the sorted rules, beginning with the lowest-numbered rule. As soon as RealProxy finds a rule that matches the client's address, it allows or denies access, according to the rule's characteristics.
 |
Tip |
|
Rule numbers can be any length, but a number of more
than one digit allows you to quickly add more rules
later, without renumbering existing rules. Also, because
RealProxy examines the rules in numeric order, you
should make the lowest-numbered rules the most strict.
Reserve high rule numbers for the most lenient rules.
This is similar to the schema for firewall addresses.
|
The following table summarizes the denial/permission sets of rules, and suggests numbering schemes.
Suggested Rule Schemes
|
Specific Address Denial |
Specific Address Permission |
| Rule Set |
Contents of Rules in Each Set |
| Rule 0: Built-in rule. Do not edit this rule. |
This rule permits access to RealProxy from an application running on the same computer. |
| Rule 1: Built-in rule. Do not edit this rule. |
This rule prevents other computers from accessing ports 6060 and 7070, which are reserved for RealProxy's use. |
Rule 2: Specific client addresses
Suggested rule numbers: 2 - 49
Rule 2 is supplied, but you may edit it. |
Clients prevented from accessing RealProxy.
Client IP address: specific client addresses.
Access: Deny
Ports: use values for specific ports |
Clients permitted to connect to RealProxy.
Client IP address: specific client addresses.
Access: Allow
Ports: use values for specific ports |
All other addresses
Suggested rule numbers: 50 - 99 |
Clients permitted to use your RealProxy.
Client IP address: Any
Access: Allow
Ports: use values for content ports |
Clients prevented from using RealProxy.
Client IP address: Any
Access: Deny
Ports: use values for specific ports
This set of rules is optional. |
Access to RealSystem Administrator
Suggested rule number: 100 |
All clients not listed in either of the rules above.
Client IP address: Any
Access: Allow
Ports: use value for Admin Port |
All clients not listed in either of the rules above.
Client IP address: Any
Access: Allow
Ports: use value for Admin Port |
Setting Up IP Access Control
There are two steps to setting up access control rules, regardless of which method you chose in "Creating Rules":
- Set up general rules which allow you to remain connected to RealSystem Administrator. You need only perform this set of steps once.
- Create rules for specific IP addresses and port numbers.
Creating General Access Rules
The steps in this section create a rule that allows you to connect to RealSystem Administrator, regardless of the restrictions you create in other rules. Although it appears that you are allowing everyone to access RealSystem Administrator, the only people who will use it are other administrators who know the Admin Port number (chosen randomly at installation) and who have a user name and password specifically for RealSystem Administrator.
 |
Warning |
|
If you omit this initial step, you will not be able to
connect to RealSystem Administrator when you restart
RealProxy, regardless of whether you have username-
and-password permission.
|
To allow access to RealSystem Administrator:
- In RealSystem Administrator, click General Setup. Click Ports.
Make a note of the Admin Port number. (This is the same number as the port number shown in your browser URL.)
- In RealSystem Administrator, click Security. Click Access Control.
- In the Access Rules area, click Add New.
A generic access rule number appears in the Edit Rule Number box.
- In the Edit Rule Number box, type
100.
- Click Edit.
- From the Access list, select
Allow.
- In the Client IP Address box, type
any.
- In the Server IP Address box, type
any.
- In the Ports box, type the Admin Port number you noted in Step 1.
- Click OK.
- Click Apply.
You will now be able to access RealSystem Administrator, no matter what rules you create in the next section.
Creating Specific Access Rules
Use the steps in this section to allow or deny access to specific IP addresses or address ranges.
|
|
Warning |
|
Be sure to first follow the steps in "Creating General
Access Rules", or you will not be able to access
RealSystem Administrator after you restart RealProxy.
|
To limit access according to IP number:
- Determine the port numbers in use. You'll use these in Step 10. Click General Setup>Ports.
Make a note of the values for PNA Proxy Port (usually 1090) and RTSP Proxy Port (usually 554).
- In RealSystem Administrator, click Security. Click Access Control.
- In the Access Rules area, click Add New.
A generic rule number appears in the Edit Rule Number box.
- In the Edit Rule Number box, type a number for the new access rule in the Access Rule Number box.
- Click Edit.
- Indicate whether permission is being granted or refused by selecting
Allow or Deny from the Access list.
- In the Client IP Address box, type the IP address of the client machine.
|
|
Tip |
To refer to any IP address, type Any in the Client IP
Address box, and leave the Client Netmask box blank.
|
- Type a value in the Client Netmask box if you want to indicate a range of client addresses.
- In the Server IP Address box, type the IP address of the client machine or network card.
You can type a specific address, or use the word Any to refer to any IP address on the RealProxy machine.
If you type a specific IP address or host name, rather than the word Any, you must also add that address to the IP Binding list. See "Reserving IP Addresses for RealProxy's Use" for more information.
- Finally, list the RealProxy port numbers to which you want to restrict access. In the Ports box, type the port numbers you noted in Step 1, separated by commas. For example, type
1090, 554.
- Click Apply.
Copyright © 2000
RealNetworks
For information on RealNetworks' technical support, click here.
Comments on this document? Click here.
This file last updated on 12/07/00 at 16:37:37.
