You can control the host or IP address from which connections are accepted or rejected at the TCP level using TCP wrappers. You can limit client-host access through TCP wrapping. This enables you to have non host-based protection for initial TCP connections to a Directory Server.
Although you can set TCP wrapping for Directory Server, TCP wrapping can result in significant performance degradation, especially during a Denial of Service attack. The best performance is achieved by using a host-based firewall that is maintained outside Directory Server, or IP port filtering.
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.
Create a hosts.allow file or a hosts.denyfile, somewhere within the instance path.
For example, create the file in instance-path/config. Ensure that the formatting of the files that you create comply with hosts_access(4).
Set the path to the access file.
$ dsconf set-server-prop -h host -p port host-access-dir-path:path-to-file |
For example:
$ dsconf set-server-prop -h host -p port host-access-dir-path:/local/ds1/config "host-access-dir-path" property has been set to "/local/ds1/config". The "/local/ds1/config" directory on host1 must contain valid hosts.allow and/or hosts.deny files. Directory Server must be restarted for changes to take effect. |
You cannot use DSCC to perform this task. Use the command line, as described in this procedure.