JP2011239458A - Communication apparatus and control method of the same - Google Patents

Abstract

PROBLEM TO BE SOLVED: To solve the problem that registration omission and registration errors occur in a case when a plurality of addresses are registered by a manual operation, that an external apparatus becomes out of a filtering object and illegal access occurs.SOLUTION: When an IP address of the external apparatus to which communication with a communication apparatus is to be denied or permitted is inputted, a command is transmitted to the inputted IP address, a MAC address of the external apparatus corresponding to the inputted IP address is newly obtained based on a response corresponding to the command and the obtained MAC address is registered in a storage portion. When information is received from the external apparatus via a communication line, it is discriminated whether the MAC address of the external apparatus transmitting information is stored in the storage portion or not. Communication with the external apparatus transmitting information is denied or permitted in accordance with a result of discrimination.

Description

  The present invention relates to a communication apparatus connected to a network environment and having an address filtering function, and a control method thereof.

  In recent years, due to the spread of the Internet, there is a concern about the vulnerability of network security against remote access, attack, packet sniffing, etc. from third party external devices. As a countermeasure, it is common that a network device has a function of filtering access from a third party using an IP address or a physical address. This filtering function ensures security by allowing the user to deny access from an external device having a registered address by registering in advance so as to deny a specific address (Patent Document 1). ).

  As such a filtering function, an IP address that rejects reception is registered, an IP address of an external device that has issued an access request is determined, and filtering processing is performed when it matches the registered address. is there. In addition, there is one that registers a MAC address, determines the MAC address of the external device that issued the access request, and performs a filtering process when the addresses match.

JP 2002-152279 A

  However, in these conventional network device filtering techniques, when an external device holds a plurality of addresses, the user must set all addresses of the external device as filtering targets, resulting in a work load. Further, when manually registering a plurality of addresses, there has been a problem that registration failure, registration error, etc. occur and the external device is excluded from the filtering target, resulting in unauthorized access.

  On the other hand, in the case of registering the address of an external device that permits access, if there is a registration failure or a registration mistake, access from an external device that should permit access is denied. In particular, the conventional filtering technique is established on the assumption of only an IPv4 address, and may be applied when a plurality of addresses are handled with a long address length such as an IPv6 address that will be widely used in the future. It has become difficult.

  An object of the present invention is to solve the above-mentioned problems of the prior art.

A feature of the present invention is that by registering a MAC address corresponding to an IP address of an external device that rejects or permits reception, the occurrence of a registration leak or registration error of the external device is prevented, and the external device It is to be able to reliably refuse or permit reception from the Internet.

  Another object is to reduce the labor required for registering the address of the external device.

In order to achieve the above object, a communication apparatus according to an aspect of the present invention has the following arrangement. That is,
A communication device capable of communicating with an external device via a communication line,
Input means for inputting an IP address of an external device to be refused or permitted to communicate with the communication device ;
A transmission unit that transmits a command to the input IP address when an IP address is input by the input unit;
An acquisition unit for newly acquiring a MAC address of the external device corresponding to the input IP address based on a response to the command transmitted by the transmission unit;
Registration means for registering the MAC address acquired by the acquisition means in a storage unit;
When receiving information from an external device via the communication line, a determination unit that determines whether or not the MAC address of the external device that transmitted the information is stored in the storage unit;
Filter control means for rejecting or permitting communication with the external device that has transmitted the information according to the result of determination by the determination means .

In order to achieve the above object, a communication apparatus control method according to an aspect of the present invention includes the following steps. That is,
A communication device control method capable of communicating with an external device via a communication line,
An input step of inputting an IP address of an external device to be refused or permitted to communicate with the communication device;
A transmission step of sending a command to the input IP address when an IP address is input in the input step;
An acquisition step of newly acquiring the MAC address of the external device corresponding to the input IP address based on a response to the command transmitted in the transmission step;
A registration step of registering the MAC address acquired in the acquisition step in a storage unit;
When receiving information from an external device via the communication line, a determination step of determining whether or not the MAC address of the external device that transmitted the information is stored in the storage unit;
A filter control step of rejecting or permitting communication with the external device that has transmitted the information according to a result of the determination in the determination step .

According to the present invention, by registering the MAC address corresponding to the IP address of the external device to deny or allow reception can reliably reject or permit reception from the external device.

1 is a block diagram illustrating a hardware configuration of a digital multi-function peripheral according to an embodiment of the present invention. FIG. 3 is a functional block diagram illustrating an example of a software configuration executed by the multifunction peripheral according to the present embodiment. It is the figure which showed an example of the network structure which concerns on embodiment of this invention. It is a figure which shows the example of a display of the list of the IP address and host name of a network device. It is a figure explaining the setting file which matched the IP address and host name of the digital multi-function peripheral and external device which the DNS server which concerns on this Embodiment manages. 6 is a flowchart for explaining processing when the address of one external device is set as a filtering target by the user interface unit in the digital multifunction peripheral according to the present embodiment. It is a figure which shows the example of a registration screen of the connection refusal address which concerns on this Embodiment. It is a figure which shows the example of a registration screen in the case of registering all the IP addresses which the external apparatus concerning this Embodiment hold | maintains as a connection rejection address. It is a figure which shows the example of a screen which inquires a user whether other IP address which the external apparatus which concerns on this Embodiment holds is registered as a connection rejection address. It is a figure explaining an example of the connection permission and the connection rejection IP address memorize | stored in the filter address memory | storage part which concerns on this Embodiment. 10 is a flowchart illustrating processing when the digital multi-function peripheral according to Embodiment 2 of the present invention sets the address of one external device as a filtering target by the user interface unit. It is a figure which shows an example of the MAC address list of the filtering object memorize | stored in the filter address memory | storage part which concerns on this Embodiment 2. FIG. 10 is a diagram illustrating an example of a screen for inquiring whether or not to register a MAC address as a filter address in a filter address storage unit when it is determined that the MAC address is a router address in the second embodiment. 10 is a flowchart for explaining processing when the digital multi-function peripheral according to Embodiment 3 of the present invention sets the address of an external device as a filtering target by the user interface unit. It is a figure explaining the example of the memory content of the transmission / reception log | history memory | storage part of the multi-function device concerning this Embodiment 3. It is a figure which shows the example of a screen for inquiring a user whether the acquired MAC address is registered as a filter address. 10 is a flowchart for explaining processing when one external device address is set as a filtering target by the user interface unit of the digital multi-function peripheral according to Embodiment 4 of the present invention. 16 is a flowchart for explaining processing when one external device address is set as a filtering target by the user interface unit of the digital multi-function peripheral according to Embodiment 5 of the present invention.

  Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings. The following embodiments do not limit the present invention according to the claims, and all combinations of features described in the present embodiments are essential to the solution means of the present invention. Not exclusively.

  FIG. 1 is a block diagram showing a hardware configuration of a digital multi-function peripheral 100 according to an embodiment of the present invention. The digital multi-function peripheral 100 is also connected to a network 111 and functions as a network device (communication device) that can exchange data with other network devices via the network 111.

  The CPU 101 executes a control program for the digital multifunction peripheral 100 and controls the entire multifunction peripheral. The ROM 102 stores a boot program, fixed parameters, and the like for the multifunction machine 100. The RAM 103 has an area for storing a program executed by the CPU 101, and is used for temporarily storing data when controlling the operation of the multi-function device 100. The HDD 108 is a hard disk drive and is used for storing various data such as print data. The timer 112 manages the elapsed time in the timer process. The printer I / F control unit 104 controls the operation of the printer 110. The NVRAM 105 is a non-volatile memory and stores various setting values of the multifunction peripheral 100 in a non-volatile manner. The panel control unit 106 controls the operation panel 109 to control display of various information on the operation panel 109 and instruction input by the user using the operation panel 109. The network I / F control unit 107 controls transmission / reception of data with the network 111 such as a LAN. A bus 108 is a system bus that connects the above-described units and the CPU 101 and carries control signals and data signals from the CPU 101.

  Various application programs executed by the CPU 101 are installed in the HDD 108, and when the execution of the program is instructed, the program is loaded into the RAM 103 and executed under the control of the CPU 101.

  FIG. 2 is a functional block diagram illustrating an example of a software configuration executed by the multifunction peripheral 100 according to the present embodiment.

  In FIG. 2, a user interface unit 201 indicates an operation unit that registers an address for the user to perform filtering. The user interface unit 201 includes a program for controlling the operation panel 109. The address information input from the user interface unit 201 is stored (registered) in the filter address storage unit 204 by the filter address registration unit (registration processing means (process)) 202. The filter address storage unit 204 corresponds to the HDD 108 or the NVRAM 105 described above. In addition, when an address is registered, the filter address registration unit 202 uses the registered address information as an address expansion control unit in order to determine whether an external device that holds the registered address holds another address. 203. When the address expansion control unit 203 receives the address information from the address registration unit 202, the address expansion control unit 203 uses the transmission / reception history storage unit 207 and the packet transmission / reception unit 206 to acquire other address information of the external device that holds the received address. Functions as an acquisition means. The packet transmission / reception unit 206 controls data exchange with an external device via the network 111. Therefore, the cooperative operation by the address expansion control unit 203 and the filter address registration unit 202 constitutes an additional registration processing unit.

  The transmission / reception history storage unit 207 updates the history information every time the packet transmission / reception unit 206 communicates packet data with an external device. This history information is stored in association with the IP address or MAC address of the external device. The transmission / reception history storage unit 207 is also referred to as an ARP (Address Resolution Protocol) cache table. When transmitting data to an external device, the packet transmission / reception unit 206 first refers to the transmission / reception history storage unit 207, and if there is a corresponding IP address, transmits the packet to the corresponding MAC address. When the address is registered in the filter address storage unit 204, every time the packet transmission / reception unit 206 receives packet data from the network 111, the connection request is transmitted to the network (NW) filter control unit 205. Pass the address information of the external device. As a result, the network filter control unit 205 refers to the filter address storage unit 204 and determines whether there is filter information (address) corresponding to the received address information. Here, when the filter information corresponding to the received address information is found, the network filter control unit 205 executes a preset process on the external device that has transmitted the connection request.

  FIG. 3 is a diagram showing an example of a network configuration according to the embodiment of the present invention.

  In FIG. 3, reference numeral 100 denotes the above-described digital multi-function peripheral (network device), which can implement the filtering function according to the present embodiment and perform filtering settings for an external device. Reference numerals 302 and 303 denote external devices that are installed on the same network 111 as the digital multifunction peripheral 100 and perform data communication via the network 111. Further, the external device 305 can communicate with the multifunction peripheral 100 from another subnet 306 via the router 304. The DNS server 307 manages the IP address and host name of each device (device) in the network 111 in association with each other.

  FIG. 4 is a diagram showing a list display example of IP addresses and host names of network devices.

  Here, the digital multifunction peripheral (network device) 100 holds an IPv4 address “169.10.0.1” and IPv6 addresses “fe80 :: 1000” and “3000 :: 1000”. It also holds the host name “net”. Similarly, the external device 302 holds an IPv4 address “169.10.0.2” and IPv6 addresses “fe80 :: 2000” and “3000 :: 2000”. It also holds the host name “dev1”. The external device 303 holds an IPv4 address “169.10.0.3” and IPv6 addresses “fe80 :: 3000” and “3000 :: 3000”. It also holds “dev2” as the host name. The external device 305 holds an IPv4 address “169.20.0.1” and IPv6 addresses “fe80 :: 2001” and “3000 :: 2001”. It also holds “dev3” as the host name. Furthermore, the DNS server 307 holds the IPv4 address “169.10.0.5”, the IPv6 addresses “fe80 :: 5000”, and “3000 :: 5000”, and the IP of the digital multi-function peripheral 100 and the external devices 302 to 303, 304. Performs address and host name resolution.

  FIG. 5 is a diagram for explaining an example of a setting file in which IP addresses and host names of digital multifunction peripherals and external devices managed by the DNS server 307 according to the present embodiment are associated with each other.

  The DNS server 307 refers to this setting file every time a DNS query (DNS query) is made from the client, and responds by performing name resolution. The registration of the IP address and host name of each device in the DNS server 307 may be manually set by the administrator of the DNS server 307, or if each device has the DNS setting enabled, the device periodically Therefore, it is registered in the DNS server 307. In FIG. 5, “IN A” indicates an IPv4 address, and “IN AAAA” indicates an IPv6 address.

  Based on the above assumptions, each embodiment of the present invention will be described below.

<Embodiment 1>
FIG. 6 is a flowchart for explaining processing when the address of one external device is set as a filtering target by the user interface unit 201 in the digital multifunction peripheral 100 according to the first embodiment. Here, the DNS server 307 is used to acquire other IP addresses related to the address, and the acquired IP address is set as a filtering target.

  First, in step S <b> 1, the filter address registration unit 202 receives an IP address to be filtered from the user interface unit 201. At this time, the user interface unit 201 can input an arbitrary IP address using either an IPv4 address or an IPv6 address. In this embodiment, as shown in FIG. 7, the IPv4 address “169.10.0.2” of the external device 302 is registered as a connection rejection target as a filtering target address.

  FIG. 7 is a diagram showing an example of a connection rejection address registration screen according to the first embodiment. Here, this address and soft keys for instructing “new registration”, “deletion”, and “completion” are displayed on the display unit of the operation panel 109.

  In step S 2, the filter address registration unit 202 registers the input address in the filter address storage unit 204. At this time, if the IP address is already registered, the registration operation is not performed. Further, the filter address registration unit 202 passes the IP address input in step S <b> 1 to the address expansion control unit 203 in order to acquire another IP address held by the external device 302. The address expansion control unit 203 acquires another IP address held by the external device 302 based on another preset IP address acquisition unit. In the first embodiment, based on the received IP address held by the external device 302, it is assumed that the DNS server 307 is used to check another IP address held by the external device 302. .

  In step S3, the address extension control unit 203 inquires of the DNS server 307 about the host name of the received IP address “169.10.0.2” using an A record (IPv4 address). The DNS server 307 returns “dev1” which is the corresponding host name in accordance with the setting file shown in FIG. At this time, if the DNS server 307 fails to acquire the host name, the address expansion process is terminated.

  For example, in FIG. 5, 501 indicates the correspondence between the host name of the external device 302 and the IPv4 address, 502 indicates the correspondence between the host name of the external device 302 and the IPv6 address, and 503 indicates the host name and IPv6 address of the external device 302. The correspondence with is shown.

  If the host name can be acquired in step S3, the process proceeds to step S4, and the DNS server 307 is inquired about the IP address of the acquired host name “dev1” of the external device 302. At this time, the DNS server 307 is inquired with both the AAAA record and the A record. The DNS server 307 returns “169.10.0.2”, which is the corresponding IPv4 address, to the A record in accordance with the setting file of FIG. In the AAAA record, the corresponding IPv6 addresses “fe80 :: 2000” and “3000 :: 2000” are returned as a result. At this time, if the corresponding IP address cannot be obtained from the DNS server 307, the address expansion process is terminated.

  Thus, the address information acquired from the DNS server 307 is passed to the address extension control unit 203 via the packet transmission / reception unit 206. The address expansion control unit 203 checks whether an address other than the IP address “169.10.0.2” registered in the filter address storage unit 204 exists in the list. From the above acquisition list, the IP addresses “fe80 :: 2000” and “3000 :: 2000” are not registered. Therefore, the address extension control unit 203 passes these two IP addresses to the filter address registration unit 202. As a result, the filter address registration unit 202 registers this IP address in the filter address storage unit 204 (step S5).

  As a result, the user interface unit 201 displays all IP addresses held by the external device 302 as shown in FIG. 8, and when “complete” is instructed here, these addresses are registered as filter addresses. If it is not desired to register as a filter address, the address can be excluded from the filter address by designating the address and instructing “delete”.

  FIG. 8 is a diagram showing an example of a registration screen when registering all IP addresses held by the external device 302 according to the present embodiment as connection rejection addresses. This screen is displayed on the operation panel 109.

  Alternatively, as shown in FIG. 9, a list of other IP addresses possessed by the external device 302 may be displayed, and the user may select whether or not to register for each address.

  FIG. 9 is a diagram illustrating an example of a screen for inquiring the user whether or not to register each other IP address held by the external device 302 according to the present embodiment as a connection rejection address. Here, when any address is selected and “Yes” 900 is instructed, the address is registered as a connection rejection address. When “No” 901 is instructed, the address is not registered as a connection rejection address. .

  After the registration operation is completed in the digital multifunction peripheral 100 in this way, processing when the external device 302 transmits a packet to try to connect to the multifunction peripheral 100 with the IP address “169.10.0.2” will be described. In this case, the MFP 100 acquires the destination IP address “169.10.0.2” from the packet received by the packet transmitting / receiving unit 206. The address information is passed to the network filter control unit 205. The network filter control unit 205 refers to the filter address storage unit 204 and checks whether or not the received IP address is set as a filter target.

  FIG. 10 is a diagram for explaining an example of connection permission and connection rejection IP addresses stored in the filter address storage unit 204 according to the present embodiment.

  Here, the address “169.10.0.2” received from the external device 302 is registered as a connection rejection address target. Accordingly, the network filter control unit 205 instructs the packet transmitting / receiving unit 206 not to discard the received packet and return a response to the connection request packet.

  When the external device 302 transmits a connection request packet to the digital multi-function peripheral 100 with the IP address “fe80 :: 2000”, the connection request is discarded according to the same procedure as that for the IP address “169.10.0.2”.

  When the external device 303 transmits a connection request packet to the multi-function device 100 with the IP address “169.20.0.3”, the IP address is not registered in the filter address storage unit 204, so that the connection request is accepted. Communicate.

  As described above, according to the first embodiment, when the user registers only one IP address held by the external device 302, other IP addresses of the external device 302 are also acquired and registered as filter addresses. it can. As a result, reception of packet data from an external device having a plurality of IP addresses can be reliably rejected, and the risk of security due to omission of address registration can be reduced.

  In addition, since it is possible to automatically register other addresses of the external device simply by instructing registration of reception rejection based on one IP address of a certain external device, the effect of reducing the work load required for the registration There is.

  In the first embodiment, an IPv4 address is registered, but an IPv6 address may be registered. If an IPv6 address is input, a DNS query may be made for the host name by reverse lookup of the AAAA record in step S3 of the flowchart.

<Embodiment 2>
FIG. 11 is a flowchart for explaining processing when the digital multifunction peripheral 100 according to Embodiment 2 of the present invention sets the address of one external device as a filtering target by the user interface unit 201. Here, a Ping command is transmitted to the registered IP address to acquire the MAC address of the external device, the acquired MAC address is applied to the MAC address filter, and filtering is performed at the physical layer level. Note that the MFP 100 according to the second embodiment, its software configuration, its network configuration, and the like are the same as those in the first embodiment, and a description thereof will be omitted. The Ping command is a command for transmitting small packet data to the other party on a TCP / IP network such as the Internet and checking the communication line status based on the return time.

  First, in step S <b> 11, the filter address registration unit 202 receives an IP address to be filtered from the user interface unit 201. At this time, the user interface unit 201 can input an IP address using an IPv4 address or an IPv6 address. In the second embodiment, as in the first embodiment, the IPv4 address “169.10.0.2” of the external device 302 is input and registered as the filtering target address as shown in FIG.

  In step S 12, the filter address registration unit 202 registers the input address in the filter address storage unit 204. At this time, if the IP address has already been registered, the registration work is not performed. In step S13, the digital multi-function peripheral 100 transmits a Ping command to the registered IP address in order to acquire the MAC address of the external device 302. If there is a response from the external device 302 to this Ping command, the process proceeds to step S14, but if there is no response, the process ends.

  In step S14, the MAC address “00aa00123457” included in the received packet from the external device is acquired. Then, the MAC address is passed to the network filter control unit 205. As a result, the network filter control unit 205 registers the MAC address in the filter address storage unit 204 as a MAC address for refusing connection.

  Thus, after that, when the MFP 100 is accessed from the external device 302 with the IP address “169.10.0.1”, the following processing is executed. That is, the packet transmitting / receiving unit 206 first acquires the destination MAC address from the received packet in order to check the filtering condition of the MAC address in the lower layer of the packet. Then, the MAC address is passed to the network filter control unit 205. Thereby, the network filter control unit 205 refers to the filter address storage unit 204 in order to check whether or not the passed MAC address is set as a filtering target. The filter address storage unit 204 stores a list of MAC addresses to be filtered as shown in FIG.

  FIG. 12 is a diagram illustrating an example of a filtering target MAC address list stored in the filter address storage unit 204 according to the second embodiment.

  As described above, the filter address storage unit 204 registers the filtering target MAC address as a connection rejection address. When the network filter control unit 205 determines that the corresponding address is stored, the network filter control unit 205 notifies the packet transmission / reception unit 206 that the connection is rejected. As a result, the packet transmitting / receiving unit 206 promptly discards the received packet because the received packet is a packet from an address registered as a connection rejection.

  Similarly, even when the external device 302 accesses the MFP 100 with the IP address “fe80 :: 2000”, the MAC address is not changed, and thus the connection request is discarded as in the above case.

  On the other hand, when the external device 303 accesses the MFP 100, the address of the external device 303 is not registered in the filter address storage unit 204, so that packet transmission / reception with the external device 303 is executed. Is done.

  In the above embodiment, the IPv4 address is registered from the user interface unit 201. However, an IPv6 address is also possible. When an IPv6 address is set as the filter address, it is determined whether the input address is an IPv4 address or an IPv6 address. In step S13, if it is an IPv4 address, a corresponding Ping command is issued. If it is an IPv6 address, a Ping command corresponding to that address may be issued.

  In the embodiment described above, the address of the external device registered in the filter address storage unit 204 may exist outside the same link as in the external device 305 shown in FIG. In this case, the digital multifunction peripheral 100 transmits a Ping command to the external device 305. In that case, the destination MAC address of the response packet returned from the external device 305 is the MAC address of the router 304. Therefore, in this case, if the MAC address is registered as a filter address according to the above embodiment, access from all external devices via the router 304 is rejected. Therefore, when the MFP 100 receives a response to the Ping command, a function of determining whether or not the MAC address is the address of the router 304 may be added. For example, when the MAC address is acquired, it is compared with the MAC address of the default gateway address (router) preset in the multi-function device 100 to determine whether the address is the address of the router. Alternatively, it may be determined whether or not the address is the address of the router 304 by referring to the routing table held by the multifunction device 100. In this way, when it is determined that the source external device exists outside the router 304, the user may be prompted to select whether or not to register the MAC address of the router 304 as a filter address, as shown in FIG. Good.

  FIG. 13 is a diagram showing an example of a screen for inquiring whether or not to register the MAC address as a filter address in the filter address storage unit 204 when the MAC address of the router is found out in the second embodiment. .

  When “Yes” is instructed here, the MAC address of the router is registered in the filter address storage unit 204, and when “No” is instructed, the registration is canceled.

  As another example, when an IP address is input from the user interface unit 201, a tracert command is used to determine whether or not to pass through the router 304 before communicating with the IP address. As a result of the determination, if it is determined that the external device holding the IP address exists outside the router 304, the screen shown in FIG. 13 is similarly displayed, and whether the MAC address of the router 304 is registered in the filter address storage unit 204. You may let the user choose whether.

  As described above, according to the second embodiment, a MAC address corresponding to a registered IP address can be acquired without using a DNS server, and the MAC address can be registered as a filter address.

  Also, when a MAC address is received via a router, it can be registered by determining whether or not to register the MAC address as a filter address.

<Embodiment 3>
FIG. 14 is a flowchart for explaining processing when the digital multifunction peripheral 100 according to Embodiment 3 of the present invention sets the address of an external device as a filtering target using the user interface unit. Note that the MFP 100 according to the third embodiment, its software configuration, its network configuration, and the like are the same as those of the first embodiment, and a description thereof will be omitted.

  In the process illustrated in FIG. 14, the MAC address of the external device is acquired using the transmission / reception history storage unit 207, and the acquired MAC address is stored in the filter address storage unit 204 to perform filtering at the physical layer level. Processing is shown.

  First, in step S <b> 21, the filter address registration unit 202 inputs an IP address to be filtered from the user interface unit 201. At this time, the user interface unit 201 can input an IP address using either an IPv4 address or an IPv6 address. In the third embodiment, as shown in FIG. 7 of the first embodiment, the IPv4 address “169.10.0.2” of the external device 302 is registered as a connection rejection address.

  In step S 22, the filter address registration unit 202 registers the input address in the filter address storage unit 204. At this time, if the IP address matches an already registered IP address, the address is not registered.

  In step S23, the digital multifunction peripheral 100 checks the MAC address of the external device 302 with reference to the transmission / reception history storage unit 207 held by the multifunction device 100 in order to obtain the MAC address of the external device 302. . In the transmission / reception history storage unit 207, as shown in FIG. 15, a destination IP address and a MAC address when the MFP 100 has communicated with an external device so far are stored as a pair.

  FIG. 15 is a diagram for explaining an example of the contents stored in the transmission / reception history storage unit 207 of the multifunction peripheral 100 according to the third embodiment.

  In FIG. 15, it can be seen that the IP address “169.10.0.2” holds the MAC address “00aa00123457”.

  In this way, when the MAC address is acquired from the transmission / reception history storage unit 207 in step S23, the process proceeds to step S24, and the address expansion control unit 203 passes the acquired MAC address to the filter address registration unit 202. Accordingly, the filter address registration unit 202 refers to the filter address storage unit 204 and checks whether or not the corresponding MAC address has already been registered. If not registered, “00aa00123457” is newly registered as the MAC filter address target.

  Alternatively, as shown in FIG. 16, whether or not to register the acquired MAC address as a MAC address filter target address may be displayed on the operation panel 109 to allow the user to select.

  FIG. 16 is a diagram showing a screen example of the operation panel 109 for inquiring of the user whether or not to register the MAC address thus obtained as a filter address.

  If “Yes” is instructed here, the MAC address is registered as a filter address, and if “No” is instructed, the MAC address is not registered.

  If the IP address is not stored in the transmission / reception history storage unit 207 in step S23, the address expansion process is terminated.

  As a result, the packet transmission / reception unit 206 first checks the filtering condition of the MAC address in the lower layer even if the IP address “169.10.0.2” is accessed from the external device 302 thereafter. Then, the MAC address is acquired from the received packet and passed to the network filter control unit 205. Thereby, the network filter control unit 205 refers to the filter address storage unit 204 in order to check whether or not the passed MAC address is set as a filtering target.

Here, the filter address storage unit 204 stores a list of MAC addresses to be filtered as shown in FIG. In this case, since the MAC address “00aa00 12 3457” is registered as the connection rejection address, the network filter control unit 205 notifies the packet transmission / reception unit 206 that the connection is rejected. In this way, the packet transmitting / receiving unit 206 determines that the received packet has been registered as a connection rejection, and immediately discards the received packet.

  Similarly, even if the external device 302 accesses with the IP address “fe80 :: 2000”, the MAC address is not changed, so that the connection request from the external device 302 is similarly rejected.

  On the other hand, when an external device 303 whose address is not rejected accesses the MFP 100, the address of the external device 303 is not registered in the filter address storage unit 204. Is accepted.

  As described above, according to the third embodiment, when registering an IP address as a filter address, the MAC address corresponding to the IP address is acquired from the packet transmission / reception history, and the MAC address is also used as the filter address. You can register. As a result, not only the IP address but also the MAC address can be registered as a filter address, so that it is possible to more reliably eliminate a connection request from the external device being filtered.

<Embodiment 4>
FIG. 17 is a flowchart for explaining processing when one external device address is set as a filtering target by the user interface unit of the digital multi-function peripheral according to Embodiment 4 of the present invention. In the fourth embodiment, the transmission / reception history storage unit 207 is used to acquire another IP address held by the external device, and the acquired IP address is also set as an IP filtering target. Note that the MFP 100 according to the fourth embodiment, its software configuration, its network configuration, and the like are the same as those in the first embodiment, and a description thereof will be omitted.

  First, in step S <b> 31, the filter address registration unit 202 receives an IP address to be filtered from the user interface unit 201. At this time, the user interface unit 201 can input an IP address using an IPv4 address or an IPv6 address. In the fourth embodiment, as shown in FIG. 7, the IPv4 address “169.10.0.2” of the external device 302 is input and registered as the filtering target address.

  In step S 32, the filter address registration unit 202 registers the input address in the filter address storage unit 204. At this time, if the IP address is already registered, the IP address is not registered as described above. In step S33, the MFP 100 refers to the transmission / reception history storage unit 207 in order to obtain the MAC address of the external device 302 corresponding to the IP address.

  According to the example shown in FIG. 15, the IP address “169.10.0.2” holds the MAC address “00aa00123457” according to the contents of the transmission / reception history storage unit 207.

  When it is determined that the corresponding address is stored in this way, the process proceeds to step S34, and the MAC address is acquired.

  In step S35, the address expansion control unit 203 checks the transmission / reception history storage unit 207 to determine whether there is another IP address corresponding to the acquired MAC address.

  In FIG. 15, it can be seen that the MAC address “00aa00123457” holds IP addresses “fe80 :: 2000” and “3000 :: 2000” in addition to “169.10.0.2”. Therefore, in this case, this IP address is passed to the filter address storage unit 204. In step S 36, the filter address registration unit 202 registers other IP addresses in the filter address storage unit 204.

  On the other hand, if the IP address does not exist in the transmission / reception history storage unit 207 in step S35, the address expansion process is terminated as it is. Even if the IP address exists and the MAC address can be acquired, if the packet transmission / reception unit 206 has no history with other IP addresses, the address expansion process is terminated.

  After this, when accessing from the external device 302 with the IP address “169.10.0.2”, the packet transmitting / receiving unit 206 first checks the filtering condition of the MAC address in the lower layer. Therefore, the MAC address is acquired from the received packet, and the MAC address is passed to the network filter control unit 205. Thereby, the network filter control unit 205 refers to the filter address storage unit 204 in order to check whether or not the passed MAC address is set as a filtering target. Here, the filter address storage unit 204 has a list of MAC addresses to be filtered as shown in FIG. 12, for example, and the MAC address is registered as a connection rejection address. Accordingly, the network filter control unit 205 notifies the packet transmission / reception unit 206 of the connection rejection. The packet transmission / reception unit 206 stops registering the received packet as connection rejection, and discards the received packet.

  Similarly, since the MAC address is not changed even when the external device 302 accesses with the IP address “fe80 :: 2000”, the connection request is discarded using the same method as described above.

  Further, when the external device 303 accesses the multi-function device 100, the address of the external device 303 is not registered in the filter address storage unit 204, so that communication can be performed.

  As described above, according to the fourth embodiment, from the IP address to be filtered, the MAC address of the device as well as other IP addresses can be automatically acquired and registered as filter addresses. Thereby, even when the external device to be filtered has a plurality of addresses, there is an effect that these addresses can be covered and registered as the addresses to be filtered.

<Embodiment 5>
In the first to fourth embodiments described above, other addresses held by the external device are also acquired and filtering settings are executed internally. However, there are environments that cannot be implemented.

  For example, in the case of the above-described first embodiment, other addresses cannot be acquired in an environment where there is no DNS server. Further, when the external device is set not to register its own address in the DNS server 307, the name cannot be resolved even when the digital multifunction peripheral 100 queries the DNS server 307.

  In the case of the above-described second embodiment, if the external device that is the destination of the Ping command is turned off, no response is naturally returned. If an external device exists outside the router 304 as described above, the acquired MAC address is the MAC address of the router 304.

  In the case of the third and fourth embodiments, if there is no history of the MFP 100 communicating with an external device, the transmission / reception history storage unit 207 does not have information on the external device.

  Since it is assumed that there is an environment where the above-described embodiments cannot be applied, a pattern in which the embodiments are executed in combination is also conceivable.

  FIG. 18 is a flowchart for explaining processing when one external device address is set as a filtering target by the user interface unit of the digital multi-function peripheral according to Embodiment 5 of the present invention. In the fifth embodiment, the IP address extension processing sequence is obtained when the above-described embodiments are combined.

  First, in step S41, the filter address registration unit 202 inputs an IP address to be filtered from the user interface unit 201. At this time, the user interface unit 201 can input the IP address as an IPv4 address or an IPv6 address. In the fifth embodiment, as shown in FIG. 7 described above, the IPv4 address “169.10.0.2” of the external device 302 is registered as the connection rejection address as the filtering target address.

  In step S42, the filter address registration unit 202 registers the input address in the filter address storage unit 204. At this time, if it matches the already registered IP address, the IP address is not registered. In step S43, the DNS server 307 is inquired of the host name based on the input IP address. The processing at this time is the same as that in the first embodiment, and the detailed description of the processing is referred to the first embodiment.

  If an IP address different from the IP address input by the inquiry to the DNS server 307 can be acquired, the process proceeds to step S46, and the IP address is also set as a filtering target. Alternatively, as in the above-described first embodiment, it may be displayed so that the user can select whether or not to set the acquired IP address as a filtering target.

  On the other hand, if it is determined in step S43 that the address cannot be resolved by making an inquiry to the DNS server 307, the process proceeds to step S44, and the transmission / reception history storage unit 207 held by the digital multi-function peripheral 100 is referred to attempt another IP address acquisition. The processing at this time is the same as that of the fourth embodiment, and the details of the processing are referred to the fourth embodiment. In step S44, referring to the transmission / reception history storage unit 207, if another IP address can be acquired, the process proceeds to step S47, and the IP address is also set as a filtering target. Or you may make a user select or display whether the acquired IP address is made into filtering object.

  In the fifth embodiment, the IP address is acquired using the transmission / reception history storage unit 207. However, it may be used as means for acquiring the MAC address as in the third embodiment.

  If the address cannot be acquired from the DNS server 307 in step S43, the external device may not have registered the address of the external device itself in the DNS server 307. Here, the case of not registering with the DNS server 307 often does not need to be registered, and therefore, the external device is highly likely to exist on the same link as the MFP 100. Therefore, there is a high possibility that a cache that has performed communication exists in the transmission / reception history storage unit 207 of the multifunction peripheral 100. Therefore, in step S44, there is a high possibility that another IP address can be acquired.

  On the other hand, if another address cannot be acquired even if referring to the transmission / reception history storage unit 207 in step S44, the process proceeds to step S45, where a Ping command is transmitted to the input IP address, and the MAC of the external device is transmitted. Try to get an address. The processing at this time is the same as the processing in the above-described second embodiment, and refer to the second embodiment for details of the processing.

  In step S45, when a response is returned to the transmission of the Ping command, the process proceeds to step S48, and the acquired MAC address is set as a filter target. Alternatively, it may be determined whether or not the acquired MAC address is the address of the router 304, and if it is not the address of the router 304, a screen for selecting whether or not to register the MAC address as a filter address may be displayed.

  If there is no response to the Ping command in step S44, the IP address expansion process is terminated.

  As described above, according to the fifth embodiment, by combining the address acquisition processing according to each embodiment, it is possible to compensate for the concern that could not be set depending on the environment in each embodiment. Thereby, a filtering function with higher security can be realized.

  As described above, according to the fifth embodiment, the user can automatically set other IP addresses as filtering targets only by setting one IP address held by the external device as a filtering target. Thereby, the work load for setting a plurality of IP addresses can be reduced.

  In addition, there is an effect that it is possible to prevent security vulnerabilities due to address registration leaks or registration mistakes. In Embodiments 1 to 5 described above, the case where a specific address is registered as a reception rejection address has been described. However, the present invention can also be applied when a specific address is registered as a reception permission address. is there. That is, it is conceivable that reception from all addresses other than the registered specific address is rejected instead of setting to reject only the registered specific address. At this time, if the user inputs one address as the reception permitted address, other address information held by the external device corresponding to this address is also acquired and registered as the reception permitted address. Can be reduced.

(Other embodiments)
Although the embodiments of the present invention have been described in detail above, the present invention may be applied to a system constituted by a plurality of devices or may be applied to an apparatus constituted by one device.

  In the present invention, a software program that implements the functions of the above-described embodiments is supplied directly or remotely to a system or apparatus, and the computer of the system or apparatus reads and executes the supplied program. Can also be achieved. In that case, as long as it has the function of a program, the form does not need to be a program.

  Accordingly, since the functions of the present invention are implemented by computer, the program code installed in the computer also implements the present invention. That is, the claims of the present invention include the computer program itself for realizing the functional processing of the present invention. In this case, the program may be in any form as long as it has a program function, such as an object code, a program executed by an interpreter, or script data supplied to the OS.

  Various recording media for supplying the program can be used. For example, floppy (registered trademark) disk, hard disk, optical disk, magneto-optical disk, MO, CD-ROM, CD-R, CD-RW, magnetic tape, nonvolatile memory card, ROM, DVD (DVD-ROM, DVD- R).

  As another program supply method, the program can be supplied by connecting to a home page on the Internet using a browser of a client computer and downloading the program from the home page to a recording medium such as a hard disk. In this case, the computer program itself of the present invention or a compressed file including an automatic installation function may be downloaded. It can also be realized by dividing the program code constituting the program of the present invention into a plurality of files and downloading each file from a different homepage. That is, a WWW server that allows a plurality of users to download a program file for realizing the functional processing of the present invention on a computer is also included in the claims of the present invention.

  Further, the program of the present invention may be encrypted, stored in a storage medium such as a CD-ROM, and distributed to users. In that case, a user who has cleared a predetermined condition is allowed to download key information to be decrypted from a homepage via the Internet, and using the key information, the encrypted program can be executed on a computer in a format that can be executed. To be installed.

  Further, the present invention can be realized in a form other than the form in which the functions of the above-described embodiments are realized by the computer executing the read program. For example, based on the instructions of the program, an OS or the like running on the computer performs part or all of the actual processing, and the functions of the above-described embodiments can also be realized by the processing.

  Furthermore, the program read from the recording medium may be written in a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer. In this case, thereafter, based on the instructions of the program, the CPU or the like provided in the function expansion board or function expansion unit performs part or all of the actual processing, and the functions of the above-described embodiments are realized by the processing. .

Claims (6)

A communication device capable of communicating with an external device via a communication line,
Input means for inputting an IP address of an external device to be refused or permitted to communicate with the communication device ;
A transmission unit that transmits a command to the input IP address when an IP address is input by the input unit;
An acquisition unit for newly acquiring a MAC address of the external device corresponding to the input IP address based on a response to the command transmitted by the transmission unit;
Registration means for registering the MAC address acquired by the acquisition means in a storage unit;
When receiving information from an external device via the communication line, a determination unit that determines whether or not the MAC address of the external device that transmitted the information is stored in the storage unit;
Filter control means for rejecting or permitting communication with an external device that has transmitted the information, according to a result of determination by the determination means;
A communication apparatus comprising: A communication device capable of communicating with an external device via a communication line,
History storage means for storing history information relating to communication performed via the communication line;
Input means for inputting an IP address of an external device to be refused or permitted to communicate with the communication device;
Obtaining a new MAC address of the external device corresponding to the input IP address by referring to the history information stored in the history storage unit based on the IP address input by the input unit Means,
Registration means for registering the MAC address acquired by the acquisition means in a storage unit;
When receiving information from an external device via the communication line, a determination unit that determines whether or not the MAC address of the external device that transmitted the information is stored in the storage unit;
Filter control means for rejecting or permitting communication with an external device that has transmitted the information, according to a result of determination by the determination means;
A communication apparatus comprising: Means for inquiring of a user whether or not to register the MAC address acquired by the acquisition means in the storage unit;
The communication apparatus according to claim 1, further comprising a determination unit that determines whether or not to register the MAC address in the storage unit in response to a response to the inquiry to the user. A communication device control method capable of communicating with an external device via a communication line,
An input step of inputting an IP address of an external device to be refused or permitted to communicate with the communication device;
A transmission step of sending a command to the input IP address when an IP address is input in the input step;
An acquisition step of newly acquiring the MAC address of the external device corresponding to the input IP address based on a response to the command transmitted in the transmission step;
A registration step of registering the MAC address acquired in the acquisition step in a storage unit;
When receiving information from an external device via the communication line, a determination step of determining whether or not the MAC address of the external device that transmitted the information is stored in the storage unit;
Depending on the result of the determination in the determination step, a filter control step for rejecting or permitting communication with the external device that has transmitted the information,
A method for controlling a communication apparatus, comprising: A method for controlling a communication apparatus, comprising a history storage means capable of communicating with an external device via a communication line, and storing history information relating to communication performed via the communication line,
An input step of inputting an IP address of an external device to be refused or permitted to communicate with the communication device;
Obtaining a new MAC address of the external device corresponding to the input IP address by referring to the history information stored in the history storage unit based on the IP address input in the input step Process,
A registration step of registering the MAC address acquired in the acquisition step in a storage unit;
When receiving information from an external device via the communication line, a determination step of determining whether or not the MAC address of the external device that transmitted the information is stored in the storage unit;
Depending on the result of the determination in the determination step, a filter control step for rejecting or permitting communication with the external device that has transmitted the information,
A method for controlling a communication apparatus, comprising: A program for causing a computer to execute the communication device control method according to claim 4 or 5.

Images