From: Robert Lowe (robert.h.lowe@lawrence.edu)
Date: Thu Jun 12 2003 - 16:14:38 CDT
Joe Polchlopek wrote:
Joe,
> Thanks for the help. We have two Netreg pages, the standard one and a
> manual registration page. We were trying to prevent a couple of network
> segments from using the manual registration page. We decided to do it
> using .htaccess and "deny from" statements.
Sounds alright. It seems like it would be easier to say from where you
want to allow that access, rather than from where you want to deny it, but
you know best! Where you want to allow access from generally remains
constant, whereas where you might want to deny from can change all the time.
Either way, I think the CIDR kit will prove helpful, since it will help you
match IP addresses with subnets regardless of subnet boundary. You might
use something like:
@DENY_SUBNETS = ("192.168.1.0/24", "192.168.2.0/24");
sub check_input {
my $subnet;
my $found = 0;
foreach $subnet (@DENY_SUBNETS) {
if (ip_in_subnet($IP,$subnet)) {
$found = 1;
last;
}
}
if ($found) {
error("Permission Denied<P>You are not allowed to use this page.<br>$IP<br>");
}
if ((!$FORM{'user'}) || (!$FORM{'pass'})) {
error("Invalid Login");
}
}
I have to admit, it still seems backwards to me. I think a generic flag
to allow manual registration from a subnet would be more useful.
-Robert
> On Thu, 12 Jun 2003, Robert Lowe wrote:
>
>
>>Joe,
>>
>>Well, your code isn't quite right. Your 'if' clause matches on
>>'192' and denies based on that alone.
>>
>>I recommend that you get the CIDR kit in the contrib section, and
>>use the ip_in_subnet() routine -- it takes an IP address and a
>>subnet expressed in CIDR notation as parameters. Put your 'deny'
>>subnets in an array and walk through them.
>>
>>I don't understand what you're trying to do, i.e. what problem you're
>>trying to solve.
>>
>>-Robert
>>
>>Joe Polchlopek wrote:
>>
>>>Thanks to Peter and everyone working to make NetReg a great product.
>>>
>>>We're running NetReg 1.3rc2. We would like to do opposite of what the
>>>check_input subroutine is intended to do. We want to allow access to all
>>>but a select few networks. To do this we would like to add a variable
>>>"DENY_DOMAIN" in variables.pl and add a few domains to deny access from.
>>>We tried to re-write the routine like this:
>>>
>>> sub check_input {
>>> @IP = split /\./,$IP;
>>> @DENY_DOMAIN = split /\.|\*/,$DENY_DOMAIN;
>>> while (@DENY_DOMAIN) {
>>> if (shift(@DENY_DOMAIN) eq shift(@IP)) {
>>> error("Permission Denied<P>You are not in my allowable domain"); }
>>> }
>>> if ((!$FORM{'user'}) || (!$FORM{'pass'})) {
>>> error("Invalid Login");
>>> }
>>> }
>>>
>>>Where $IP=192.168.3.1 (a subnet which should be allowed).
>>>
>>>We added this to variables.pl:
>>>
>>> $DENY_DOMAIN = "192.168.1.*";
>>>
>>>But, it's not working. No matter which subnet we put in DENY_DOMAIN we are
>>>denied by the NetReg server.
>>>
>>>Also, we'd like to add multiple networks, like "192.168.20.*",
>>>"192.168.21.*", etc. What's the correct syntax for putting more than one
>>>subnet in the variable? Thanks in advance.
>>>
>>>
>>>**********************************************************************
>>>To unsubscribe from this list, send an e-mail message to
>>>majordomo@southwestern.edu containing a single line with the words:
>>>unsubscribe netreg
>>>Send requests for assistance to: owner-netreg@southwestern.edu
>>>**********************************************************************
>>
>>
>>
>>**********************************************************************
>>To unsubscribe from this list, send an e-mail message to
>>majordomo@southwestern.edu containing a single line with the words:
>>unsubscribe netreg
>>Send requests for assistance to: owner-netreg@southwestern.edu
>>**********************************************************************
>>
>
>
> -- Joe Polchlopek ----------------------------- joe@netcom.duke.edu --
> / System Administrator phone (919) 668-6493 \
> \ http://www.netcom.duke.edu/~joe/ fax (919) 684-8507 /
> -- Duke University --- Room 117C Tel-Com Building, Durham, NC 27708 --
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:39 CDT