Using proxy for access control

The challenge was to limit the commands one customer can use on a hylafax server. It should only be possible to use a printer driver, but not another client which will give access to queues, states etc.pp.

So the idea was to limit the commands based on a kind of ftp reverse proxy, since hylafax uses a kind of ftp protocol. It should be possible with ftp-proxy, but threrefore one need to implement new commands.

I implemented a solution with a F5 BigIP and with irules. The interesting part, is that a typical printer driver will use only a subset of commands and so I can whitelist this via irules. The relevant part off the irules is:

if {!($client_data contains "USER" or $client_data contains "PASS" or $client_data contains "TYPE"  or $client_data contains "MODE"  or $client_data contains "PASV"  or $client_data contains "STOT" or  $client_data contains "JNEW" or  $client_data contains "JPARM" or  $client_data contains "JSUBM")} { TCP::respond "550 command not allowed\r\n"; reject }