Controlling access by domain name, Controlling access by network or netmask – Oracle B12255-01 User Manual
Page 137
Authentication and Authorization Enforcement
Managing Security
8-7
Controlling Access by Domain Name
Domain name-based access control can be used
with IP address-based access control to solve the problem of IP addresses changing
without warning. When you combine these methods, if an IP address changes, then
the secure areas of your site are still protected because the domain names you want
to keep out will still be denied access.
To combine domain name-based with IP address-based access control, use the
syntax shown in
:
Example 8–4
controlling Access by Domain Name
<Directory /co_backgr/>
order allow,deny
allow from all
# 141.217.24.* is the IP for malicious.cracker.com
deny from malicious.cracker.com 141.217.24.*
</Directory>
In
, all requests for directory /co_backgr/ are accepted except those
that originate from the domain name malicious.cracker.com or the IP address
141.217.24.* range. Although this is not a fool proof precaution against domain
name or IP address spoofing, it protects your site from malicious.cracker.com
even if they change their IP address.
Controlling Access by Network or Netmask
You can control access based on subsets of
networks, specified by IP address. The syntax is shown in
:
Example 8–5
Controlling Access by Network or Netmask
<Directory /payroll/>
order deny,allow
deny from all
allow from 10.1.0.0/255.255.0.0
</Directory>
In
, access is allowed from a network/netmask pair. A netmask shows
how an IP address is to be divided into network, subnet, and host identifiers.
Netmasks enable you to refer to only the host ID portion of an IP address.
The netmask in
, 255.255.0.0, is the default netmask setting for a Class B
address. The binary ones (decimal 255) mask the network ID and the binary zeroes
(decimal 0) retain the host ID of a given IP address.