Weblogic Connection filters are a kind of firewall with in the Weblogic to secure the Application/Admin if there are no firewall between the server’s .
Servers are usually protected by firewalls. The big benefit of firewalls is that they can reject unwanted connections based on rules. Rules can be based on source IP/DNS/port, target DNS/IP/port, protocol, or even more. It is highly recommended to use these firewall features – especially for administrative communication – wherever possible. There are also many systems where there is no firewall between the user and the server (intranet). Some resources (e.g. administrative communication, services with sensible or confidential data) must be also protected in those networks.
In case no firewalls are available, WebLogic offers a concept called “connection filter”. Connection filters provide network layer access control and allow the server(s) to block unwanted communication based on different criteria.
The default implementation provided by WebLogic offers a number of parameters for each rule. Each rule must contain an action (allow/deny), the localAddress/localPort of the server endpoint, and the client ip/dns/or even domain parts like *.mydomain.com(slower)
Fast rules (most common) are concrete rules which are easy to evaluate. DNS resolutions are cached. Examples include:
host.test.com 127.0.0.1 7001 allow t3s https
192.168.100.0/255.255.254.0 127.0.0.1 7001 allow #23-bit netmask ; allows all protocols
192.168.110.20 127.0.0.1 7001 deny t3 http
Slow rules are incomplete rules and therefore are slower to evaluate. These rules should be avoided if possible. Examples include:
*.test.com 127.0.0.1 7001 allow t3s https
Special rule: For improved security, it is possible to specify a special last rule which blocks all remaining connection requests that do not match any of the previous rules. The default implementation interprets a target address of 0 (0.0.0.0/0) as: “this rule should apply to all IP addresses.”
0.0.0.0/0 * * deny
For adding a Connection Filter to a weblogic domain, Domain Name ->Security -> Filter. Connection Filter: weblogic.security.net.ConnectionFilterImpl
Connection Filter Rules:
IP address * * allow# Apache
IP address * * allow#
Example
173.22.4.54 * * allow#Apache
0.0.0.0/0 * * deny#Deny all
0.0.0.0/0 * 7001 deny
When We check in the config.xml file we can see,
<connection-filter-rule>173.22.3.54 * * allow# Apache</connection-filter-rule>
<connection-filter-rule>0.0.0.0/0 * * deny#Deny All</connection-filter-rule>
<connection-filter-rule>0.0.0.0/0 * 7001 deny</connection-filter-rule>
The First line says to allow access to every thing for the IP address 173.22.3.54.The last line will deny all traffic (0.0.0.0/0) to all local addresses (*) on admin port (7001).The Rules in here are validated from top to bottom.
There are some syntax rules while configuring the filters
- Each rule must be written on a single line.
- Tokens in a rule are separated by white space.
- A pound sign (#) is the comment character. Everything after a pound sign on a line is ignored.
- Whitespace before or after a rule is ignored.
- Lines consisting only of whitespace or comments are skipped.
- Filters are activated to all servers in your domain, so remember you can lockout yourself (admin console) or even internal weblogic communication between managed servers and the admin server.
- Filters are stored in the config.xml file, so if you really locked yourself out -> Look there
The connection filter syntax is
targetAddress localAddress localPort action protocols
targetAddress specifies one or more systems to filter.
localAddress defines the host address of the WebLogic Server instance. (If you specify an asterisk (*), the match returns all local IP addresses.)
localPort defines the port on which the WebLogic Server instance is listening. (If you specify an asterisk (*), the match returns all available ports on the server).
action specifies the action to perform. This value must be allow or deny.
protocols is the list of protocol names to match. The following protocols may be specified: http, https, t3, t3s,ldap, ldaps, iiop, iiops, and com.
If no protocol is defined, all protocols will match a rule.
There are cases where you will see Notices like in the logs .
####<Nov 27, 2012 4:31:22 AM CST> <Notice> <Socket> <omhq19ea> < admin> <ExecuteThread: ‘5’ for queue: ‘weblogic.socket.Muxer’> <<WLS Kernel>> <> <> <1354012282145> <BEA-000445> <Connection rejected, filter blocked Socket[addr=x.x.x.x.x,port=62719,localport=29902], weblogic.security.net.FilterException: [Security:090220]rule 81>
####<Nov 27, 2012 4:49:25 AM CST> <Notice> <Socket> <omhq19eb> < admin> <ExecuteThread: ‘4’ for queue: ‘weblogic.socket.Muxer’> <<WLS Kernel>> <> <> <1354013365338> <BEA-000445> <Connection rejected, filter blocked Socket[addr=x.x.x.x,port=62941,localport=29802], weblogic.security.net.FilterException: [Security:090220]rule 107>
These connection rules can be applied for Any port in weblogic for example can apply to Managed Server https port which will block the access of Applications running on the port from the specified rules in the filters.