I understand what I should use for a.b.c.d, but not sure what to use for x.y.z.0/24.
The AllowHosts property contains a comma-separated list of hosts and/or networks that are allowed access to the specified service. In that example command, a.b.c.d is an example of how to specify a single IP address, while x.y.z.0/24 is an example of how to specify an entire network (any IP address beginning with x.y.z.). To limit connections to smtpd to the spamhero servers as strictly as possible, you won't specify a network; you'd just identify their 7-8 IP addresses separated by commas. The command will be
config setprop smtpd AllowHosts 108.60.195.218,108.60.195.213,108.60.195.222,208.53.48.218,208.53.48.191,208.53.48.71,208.53.48.64Now, if you wanted to shorten that command and get kind of fancy, and didn't mind that you hadn't set the configuration 100% as secure as possible, you could specify a netmask for the 108. IP addresses. To explain that requires some background, though.
IPv4 addresses are 32-bit binary numbers. We usually see them denoted with four, eight-bit values ("octets"), converted to decimal, and separated by periods: [0-255].[0-255].[0-255].[0-255], but internally they are binary numbers. An address with a network mask identifies a range of addresses as belonging to the same network; the network mask identifies how many bits of the address remain the same. The old-fashioned way to do that was something like 192.168.1.0/255.255.255.0. The first address is the network address--everything on 192.168.1.whatever; the second has the first 24 bits set, so it denotes that those first three numbers will remain constant. The more modern way to denote this would be 192.168.1.0/24. Rather than you needing to figure out that 255.255.255.0 had the first 24 bits set, this just gives you the number of bits. It's shorter and a bit clearer.
So, you could set AllowHosts to 108.60.195.0/24,208.53.48.0/24. This would probably work pretty well, and it would block most other hosts from connecting, but it's still pretty broad. You could narrow down the 108. network quite a bit by noticing that the last octet (number) in those three IP addresses is pretty similar. If you convert each of them (213, 218, 222) to binary, you'd notice that the first four digits of each of them were the same (1101), but the last four digits differed. To convert this to a network address, then, you'd first convert 11010000 to decimal (208), and then determine how many bits to specify. You know that the first three octets are the same, so that's 24 bits, and four more bits of the last octet are also the same, so that's a total of 28 bits. The network address would thus be 108.60.195.208/28. Using that value for AllowHosts would allow 16 different IP addresses to connect; using 108.60.195.0/24 would allow 255.
6 Replies
2770 Views