Re: [Quickfix-developers] Restricting acceptor to specific IP address(es)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

MessageCan't you run your own firewall process on the machine running =
the FIX engine?

--oren
  ----- Original Message -----=20
  From: Ajay Kamdar=20
  To: Zoran Cetusic=20
  Cc: qui...@li...=20
  Sent: Wednesday, May 17, 2006 12:12 PM
  Subject: RE: [Quickfix-developers] Restricting acceptor to specific IP =
address(es)

  The requirement typically is to restrict all IP addresses by default, =
and even an allowed IP address (range) would be limited to connect to =
only a specific FIX session. Since a firewall wouldn't know anything =
about FIX session configuration it can't really do the job. =
Additionally, in production environments that have tens or hundreds of =
client connections, modifying the firewall configuration every time a =
new client is brought onboard would be impractical. Except in small =
shops, Network/firewall management and FIX infrastructure support are =
typically handled by different teams, with network/firewall changes =
often requiring a chain of approvals and having to fit into specific =
change management windows (think change management and SOX) .=20

  Hence while using the firewall to restrict specific FIX sessions to =
specific IP addresses might work for a small FIX infrastructure, I am =
afraid it is not a very viable solution for a large scale robust FIX =
infrastructure. This is something that is best done within the FIX =
engine or by an API hook that allow an application to apply the IP =
address check.

  - Ajay
    -----Original Message-----
    From: Zoran Cetusic [mailto:zo...@av...]=20
    Sent: Wednesday, May 17, 2006 12:16 PM
    To: Ajay Kamdar
    Cc: qui...@li...
    Subject: Re: [Quickfix-developers] Restricting acceptor to specific =
IP address(es)

    I would think in a production environment you would be behind a =
firewall that would have the ability to block NAT to your QuickFIX =
server from specific IP addresses.=20

    Ajay Kamdar wrote:=20
      How can QuickFIX be made to accept connection attempts only from =
specific IP addresses and IP address range? The allowed IP addresses and =
IP address range could be different for each Session defined in the =
config file.

      Restricting the incoming FIX sessions to specific IPs would I =
suppose be a common requirement for production configurations. Am I =
missing some obvious configuration parameters to make this happen? Or do =
the core QuickFIX acceptor classes have to be modified for this to =
happen?

      Thanks,

      - Ajay

      =
________________________________________________________________________

      The information in this email is confidential and may be legally =
privileged.
      It is intended solely for the addressee. Access to this email by =
anyone else
      is unauthorized. If you are not the intended recipient, any =
disclosure, copying,
      distribution or any action taken or omitted to be taken in =
reliance on it, is
      prohibited and may be unlawful.

      TradeWeb reserves the right to monitor and review the content of =
all messages sent
      to or from this e-mail address. Messages sent to or from this =
e-mail address may
      be stored on the TradeWeb e-mail system.

    --=20
    Zoran Cetusic | President & CEO

    phone +1.858.218.4496 | fax +1.858.675.4504
    email: zo...@av... | web www.avalonsoft.com