RE: [Quickfix-developers] Restricting acceptor to specific IP address(es)
Brought to you by:
orenmnero
Menu
▾
▴
RE: [Quickfix-developers] Restricting acceptor to specific IP address(es)
|
From: Ajay K. <Aja...@tr...> - 2006-05-17 19:58:06
|
Ok, removal of the single port restriction should make the firewall solution more palatable in many situations where the number of FIX sessions is not high and FIX session configuration is mostly static. However IMHO that is still a less than desirable solution for organizations (like mine) which have 100+ external FIX sessions, session configurations change often (especially in customer staging/test), and the FIX session configuration and onboarding is primarily handled by a non-technical client services team.=20 In general do you agree that having the engine itself support IP address matching before establishing the FIX session is a much cleaner and elegant solution than to have to work around with a separate firewall? If we are in agreement in principle that this would be a good thing to add to QuickFIX, then I can work on submitting a patch suitable for wider consumption. Otherwise I can simply hack something up much more quickly that is specific for my environment. - Ajay -----Original Message----- From: Oren Miller [mailto:or...@qu...]=20 Sent: Wednesday, May 17, 2006 3:39 PM To: Ajay Kamdar Cc: Caleb Epstein; qui...@li... Subject: Re: [Quickfix-developers] Restricting acceptor to specific IP address(es) The single port restriction is no longer true with the latest CVS =20 source. You can now assign the acceptor port on a per session basis. --oren On May 17, 2006, at 2:22 PM, Ajay Kamdar wrote: > QuickFIX Documentation: http://www.quickfixengine.org/quickfix/doc/ > html/index.html > QuickFIX Support: http://www.quickfixengine.org/services.html > > A) The last time I checked, QuickFIX allowed only one Acceptor port > for > all the Sessions configured to run within one QuickFIX instance. > B) Say I have sessions S1 through S10 defined within the config file > with ConnectionType=3Dacceptor. All counter parties will have to = connect > to the single acceptor port in (A) > C) The allowed IP addresses for S1-S10 are respectively IP1 through =20 > IP10 > (i.e. IP1 can logon only to S1 but not to S2-S9, IP2 only to S2 but =20 > not > to S1,S3-S9, etc.) > > Given the above scenario, I am afraid I don't get how the local > firewall > process would know enough to accept a socket connection from IP1 =20 > only if > FIX session that would get established (as determined by the SessionID > composed of BeginString,SenderCompID,TargetCompID) is S1 but not =20 > accept > the connection if IP1 is erroneously trying to establish sessions =20 > S2-S9. > For that match to be made correctly, the FIX engine actually has to =20 > also > match the IP address of the socket peer with the allowed IP addresses > for the Session before considering the FIX Session to have been > successfully established. > > - Ajay > > -----Original Message----- > From: Caleb Epstein [mailto:cal...@gm...] > Sent: Wednesday, May 17, 2006 2:48 PM > To: Ajay Kamdar > Cc: Oren Miller; Zoran Cetusic;=20 > qui...@li... > Subject: Re: [Quickfix-developers] Restricting acceptor to specific IP > address(es) > > > On 5/17/06, Ajay Kamdar <Aja...@tr...> wrote: > >> - The local firewall process would need to be understand the concept=20 >> of FIX sessions > > Why? Just restrict access to the port(s) your Acceptor is running > on to > the IPs you want to allow. > > -- > Caleb Epstein > caleb dot epstein at gmail dot com > > ---------------------------------------------------------------------- > ----- > > The information in this email is confidential and may be legally > privileged. > It is intended solely for the addressee. Access to this email by =20 > anyone else > is unauthorized. If you are not the intended recipient, any =20 > disclosure, copying, > distribution or any action taken or omitted to be taken in reliance =20 > on it, is > prohibited and may be unlawful. > > TradeWeb reserves the right to monitor and review the content of > all messages sent > to or from this e-mail address. Messages sent to or from this e-=20 > mail address may > be stored on the TradeWeb e-mail system. > > > > ------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, =20 > security? > Get stuff done quickly with pre-integrated technology to make your =20 > job easier > Download IBM WebSphere Application Server v.1.0.1 based on Apache =20 > Geronimo > = http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=120709&bid&3057&dat=121642 > _______________________________________________ > Quickfix-developers mailing list > Qui...@li... > https://lists.sourceforge.net/lists/listinfo/quickfix-developers > |
