Hi,
For security reasons I need to forbid access to port 443 on my Gateway Router.
Only a specified list of addresses will be able to use that port.
But in order to allow PayPal IPN messages, I have to apply to the list the Paypal’s ip addresses
of the servers that are used for sending IPN messages
I noticed that the server currently sending messages is the one with ip add 173.0.81.1
Quest1. : Does anyone know if this is a permanent ip? Is it possible to change after sometime?
Quest2. : Any other idea on securing port 443 without blocking PayPal’s feedback (IPNs)?
PS FYI : I noticed that Paypal is sending the secure IPNs only on port 443, no matter what port you define in the
relevant field in IPN setup
most probably the client app will do a DNS request first. You can have a script that periodically checks if that FQDN has changed, then set that ip in an address list; then is a matter of using that list in the firewall filter rule.
Are you aware that shutting down dst port 443 will result in no google? Also, that ip could host several services not only paypal IPN, though its not likely.
I just want to block incoming requests at 443,80 tcp ports, so I drop all incoming packets with source ip that does not belong in my “safe” list.
After I did that I have no problem with google (why should I?).
What I actually want to achieve is to forbid access to the webfig app. This app replies at 443 and 80 ports.
Do you have any other suggestions on how to do that?
My solution forbids everyone but the “safe” incoming ip list, so I have to know which paypal server replies with IPNs in order to add it in the “safe” list.
I dont know if there is a spesific paypal domain name for that job in order to resolve the ip and let it pass.
This is exactly what I’m asking…
Ah! you can either disable those services if you’re using winbox, or create a list of allowed IPs, then setup a firewall filter on input chain (if user-manager is running on the firewall) to drop all connections to 443,80 for ips not on the list.
Change www-ssl to a non-standard port in /ip services
Then filter that port in the firewall with whatever list of approved sources you like, and it’s independent of the IPNs.
Or you can simply add ranges of acceptable IPs to the /ip service “available from” list instead of using the firewall to limit access. (I think I am going to officially recommend this solution given your situation)