RE: [Quickfix-developers] Restricting acceptor to specific IP address(es)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The requirement typically is to restrict all IP addresses by default,
and even an allowed IP address (range) would be limited to connect to
only a specific FIX session. Since a firewall wouldn't know anything
about FIX session configuration it can't really do the job.
Additionally, in production environments that have tens or hundreds of
client connections, modifying the firewall configuration every time a
new client is brought onboard would be impractical. Except in small
shops, Network/firewall management and FIX infrastructure support are
typically handled by different teams, with network/firewall changes
often requiring a chain of approvals and having to fit into specific
change management windows (think change management and SOX) .=20
=20
Hence while using the firewall to restrict specific FIX sessions to
specific IP addresses might work for a small FIX infrastructure, I am
afraid it is not a very viable solution for a large scale robust FIX
infrastructure. This is something that is best done within the FIX
engine or by an API hook that allow an application to apply the IP
address check.
=20
- Ajay

	-----Original Message-----
	From: Zoran Cetusic [mailto:zo...@av...]=20
	Sent: Wednesday, May 17, 2006 12:16 PM
	To: Ajay Kamdar
	Cc: qui...@li...
	Subject: Re: [Quickfix-developers] Restricting acceptor to
specific IP address(es)
=09
=09
	I would think in a production environment you would be behind a
firewall that would have the ability to block NAT to your QuickFIX
server from specific IP addresses.=20
=09
	Ajay Kamdar wrote:=20

		How can QuickFIX be made to accept connection attempts
only from specific IP addresses and IP address range? The allowed IP
addresses and IP address range could be different for each Session
defined in the config file.
		=20
		Restricting the incoming FIX sessions to specific IPs
would I suppose be a common requirement for production configurations.
Am I missing some obvious configuration parameters to make this happen?
Or do the core QuickFIX acceptor classes have to be modified for this to
happen?
		=20
		Thanks,
		=20
		- Ajay

	=09
=09
________________________________________________________________________
	=09
		The information in this email is confidential and may be
legally privileged.
		It is intended solely for the addressee. Access to this
email by anyone else
		is unauthorized. If you are not the intended recipient,
any disclosure, copying,
		distribution or any action taken or omitted to be taken
in reliance on it, is
		prohibited and may be unlawful.
	=09
		TradeWeb reserves the right to monitor and review the
content of all messages sent
		to or from this e-mail address. Messages sent to or from
this e-mail address may
		be stored on the TradeWeb e-mail system.
	=09


	--=20
	Zoran Cetusic | President & CEO
=09
	phone +1.858.218.4496 | fax +1.858.675.4504
	email: zo...@av... <mailto:zo...@av...>  | web
www.avalonsoft.com <http://www.avalonsoft.com/>=20