Community discussions

MikroTik App
 
andreas140265
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Tue Jan 15, 2013 4:57 pm
Location: Greece

Securing port 443 along with PayPal IPNs

Tue May 12, 2015 12:00 pm

Hi,
For security reasons I need to forbid access to port 443 on my Gateway Router.
Only a specified list of addresses will be able to use that port.

But in order to allow PayPal IPN messages, I have to apply to the list the Paypal's ip addresses
of the servers that are used for sending IPN messages

I noticed that the server currently sending messages is the one with ip add 173.0.81.1

Quest1. : Does anyone know if this is a permanent ip? Is it possible to change after sometime?
Quest2. : Any other idea on securing port 443 without blocking PayPal's feedback (IPNs)?

PS FYI : I noticed that Paypal is sending the secure IPNs only on port 443, no matter what port you define in the
relevant field in IPN setup
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Securing port 443 along with PayPal IPNs

Tue May 12, 2015 12:06 pm

most probably the client app will do a DNS request first. You can have a script that periodically checks if that FQDN has changed, then set that ip in an address list; then is a matter of using that list in the firewall filter rule.

Are you aware that shutting down dst port 443 will result in no google? Also, that ip could host several services not only paypal IPN, though its not likely.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
andreas140265
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 52
Joined: Tue Jan 15, 2013 4:57 pm
Location: Greece

Re: Securing port 443 along with PayPal IPNs

Tue May 12, 2015 5:39 pm

most probably the client app will do a DNS request first. You can have a script that periodically checks if that FQDN has changed, then set that ip in an address list; then is a matter of using that list in the firewall filter rule.

Are you aware that shutting down dst port 443 will result in no google? Also, that ip could host several services not only paypal IPN, though its not likely.
pukkita
thanks for your answer,

I just want to block incoming requests at 443,80 tcp ports, so I drop all incoming packets with source ip that does not belong in my "safe" list.
After I did that I have no problem with google (why should I?).

What I actually want to achieve is to forbid access to the webfig app. This app replies at 443 and 80 ports.

Do you have any other suggestions on how to do that?

My solution forbids everyone but the "safe" incoming ip list, so I have to know which paypal server replies with IPNs in order to add it in the "safe" list.

I dont know if there is a spesific paypal domain name for that job in order to resolve the ip and let it pass.
This is exactly what I'm asking...
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: Securing port 443 along with PayPal IPNs

Tue May 12, 2015 6:28 pm

Ah! you can either disable those services if you're using winbox, or create a list of allowed IPs, then setup a firewall filter on input chain (if user-manager is running on the firewall) to drop all connections to 443,80 for ips not on the list.

Regarding IPN, see Paypal IP Addresses.
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Securing port 443 along with PayPal IPNs

Tue May 12, 2015 9:34 pm

Change the port that webfig listens on.

Change www-ssl to a non-standard port in /ip services
Then filter that port in the firewall with whatever list of approved sources you like, and it's independent of the IPNs.

Or you can simply add ranges of acceptable IPs to the /ip service "available from" list instead of using the firewall to limit access. (I think I am going to officially recommend this solution given your situation)
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 5 guests