Pavan's FusionMiddleware Centre of Excellence : February 2015

Connection Filters allow you to deny access to UNWANTED Connections at the network level. Connection Filters can be used to protect server resources on individual servers, server clusters, or an entire internal network or Intranet. Connection filters are particularly useful when using the Administration port. Depending on your network firewall configuration, you may be able to use a connection filter to further restrict administration access. A typical use might be to restrict access to the Administration port to only the servers and machines in the domain.
WebLogic Server provides a default connection filter called weblogic.security.net.ConnectionFilterImpl. This default connection filter accepts all incoming connections except the ones defined in your Administration Console as a Connection filter rule. You can write your own custom connection filter by implementing the classes in the weblogic.security.net package. This post will demonstrate the steps to configure Weblogic Connection Filters.

If you have not already done so, in the Change Center of the Administration Console, click Lock & Edit.
In the left pane, click on the domain name.
In the right pane, select the Security -> Filter tab.
Click the Connection Logger Enabled attribute to enable the logging of accepted connections.
Specify the Connection Filter to be used with the domain. This example uses the default connection filter weblogic.security.net.ConnectionFilterImpl
Specify the Connection Filter Rules. Make sure that you use the syntax below while writing the rules.

Syntax: target localAddress localPort action protocols

where
- target specifies the client hosts that can connect to the Weblogic Server instance
- localAddress defines the host address of the Weblogic Server instance to which any client can connect. If you specify an asterisk (*), the match returns all local IP addresses.
- localPort defines the port on which the WebLogic Server instance is listening to which any client can connect. If you specify an asterisk (*), the match returns all available ports on the server.
- action specifies the action to perform. This value must be only allow or deny.
- protocols specifies the list of protocol names to match. The following protocols may be specified: http, https, t3, t3s, giop, giops, dcom, ftp, ldap. If no protocol is defined, all protocols will match a rule.
Click Save and in the Change Center of the Administration Console, click Activate Changes.

Once saved an entry is made in the config.xml file for these settings as below:
<connection-filter>weblogic.security.net.ConnectionFilterImpl</connection-filter>
<connection-filter-rule>10.1.xx.xx 10.1.xx.xx 7001 deny http</connection-filter-rule>
<connection-logger-enabled>true</connection-logger-enabled>
Restart all the WebLogic Server instances for changes to take effect.
Test the Connection Filter rules: Try to access the WebLogic Server instance with the port from the target server mentioned in the rule. This connection will be rejected because the rule says to deny the connection.
####<May 24, 2011 1:34:50 PM MDT> <Notice> <Socket> <NAND-S77> <AdminServer> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <> <1306265690809> <BEA-000445> <Connection rejected, filter blocked Socket[addr=10.1.xx.xx,port=48316,localport=7001], weblogic.security.net.FilterException: [Security:090220]rule 1>

Try to access the WebLogic Server instance with the port from the target server which is not mentioned in the rule. This connection will be accepted because it is not denied by the rule:
####<May 24, 2011 1:34:23 PM MDT> <Info> <Socket> <NAND-S77> <AdminServer> <ExecuteThread: '2' for queue: 'weblogic.socket.Muxer'> <<WLS Kernel>> <> <> <1306265663662> <BEA-000431> <Accepted Connection: Filtering is set to: "true" Remote Address: "/0:0:0:0:0:0:0:1" Remote Port: "51655" Local Address: "0.0.0.0/0.0.0.0" Local Port: "7001" Protocol: "http">