topic Re: Blocking Network Access in Operating System - HP-UX

Blocking Network Access

Manjunath Shastry — Fri, 06 Jun 2003 09:18:19 GMT

Hi Gurus,

I have Two HP-UX 11.0 Hosts on the same subnet. I have a task at hand which is to deny all network access to each other. I should not even be able to ping to each other. How do I acheieve this.

Your suggestions would be appreciated.

Re: Blocking Network Access

Stefan Farrelly — Fri, 06 Jun 2003 09:27:35 GMT

Is not going to be easy to do at all on the HP end. Far simpler to get it changed on the switch/router end where both HP servers are plugged into, a simple config command here can block each server from each other.

Re: Blocking Network Access

V.Tamilvanan — Fri, 06 Jun 2003 09:31:11 GMT

Hi,
You can restrict all inetd related tcp services by creating /var/adm/inetd.sec and put the required entries inside the file.
See man inetd.sec.
By creating /etc/ftpusers file restrict ftp.
See man ftpusers
But ping works in layer 3 . I don't thing we can disable ping with default OS.
You will be requiring any external software or arrangements in Network switch.
HTH

Re: Blocking Network Access

Massimo Bianchi — Fri, 06 Jun 2003 09:54:45 GMT

Hi,
what exactly do you want to block ? What do you want to allow ?

Others suggested many ways...

If they must be prevented one from the other, you could think of a particolar route, just with the host and, as a destination, a host that does not exists.

It's just an idea... don't know if applicable.

HTH,
Massimo

Re: Blocking Network Access

V. V. Ravi Kumar_1 — Fri, 06 Jun 2003 10:24:54 GMT

Hi,

i think it is possible if u install TCP wrappers and disable as many services by configuring it.

Regards

Re: Blocking Network Access

Bill Douglass — Fri, 06 Jun 2003 11:11:15 GMT

I agree that the better solution would be at the network infrastructure level (switches, VLANs). But if you must do this at the host level, try HP's implementation of IP Filter

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B9901AA

You can get very fine-grained control over what hosts/protocols are allowed through.

Re: Blocking Network Access

Chris Vail — Fri, 06 Jun 2003 12:55:55 GMT

I concur with the others that this is going to be difficult using HPUX resources only. Your best bet would be to disconnect one, t'other, or both from the network altogether! TCP wrappers, properly configured will get you closest to this goal. But best and easiest way to do this is to get a managed switch or router (we use Cisco) and let the net nazis do the thing that delights them the most--turn off access.

Chris

Re: Blocking Network Access

Sridhar Bhaskarla — Fri, 06 Jun 2003 13:03:06 GMT

Hi Manjunath,

At the best you can do is to control the services using /var/adm/inetd.sec.

If you do not want even one server to ping to other, then you will need to put one of them in a different subnet through a router and configure the accesslists on the router.

-Sri

Re: Blocking Network Access

Mike Miller_8 — Fri, 06 Jun 2003 13:15:02 GMT

The simplest approach is often the best approach.

Block the access at the network level.

= Mike =

Re: Blocking Network Access

Shannon Petry — Fri, 06 Jun 2003 13:32:44 GMT

Arp may be your friend. You can add a bogus arp entry which will cause complete failure at the network level for the 2 sytems to communicate.

inetd.sec only secures internet protocols, and does not filter/block an IP.

The syntax to use is

arp -s

Now, since you can use arp to list the current tables, you can easily remap.

arp -a

router (172.20.106.254) at 0:50:73:f6:ec:c0 ether
masterc (172.20.106.150) at 0:e0:81:21:30:8b ether

To remap, I want to give the same MAC a bogus address

arp -d 172.20.106.150
arp -s 172.20.106.198 0:e0:81:21:30:8b

Now, as long as Im in the same subnet, this is allowed. The original host IP can still be pinged, but I can not ping 172.20.106.198. So unless I know the IP Im trying to reach, I cant find it. If my /etc/hosts table indicated that the host was using the 198 address, Im okay.

It is not nearly the same as a firewall or router completely blocking an IP, which is the best way to go, but it may let you fudge things a bit ;)

Regards,
Shannon

Re: Blocking Network Access

Zeev Schultz — Fri, 06 Jun 2003 14:26:25 GMT

Can use IPfilter as it can check the ICMP (ping) messages & works on layer 3 (IP/network).Also some chances with IPsec probably to use it as firewall.
You create an ACL / rule in IPfilter to block
ICMP protocol (inbound and outbound) btw 2 hosts.
Both IPfilter & IPsec are free of charge.
Here (ipfilter)
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B9901AA

Zeev

Re: Blocking Network Access

Massimo Bianchi — Fri, 06 Jun 2003 14:39:12 GMT

Thanks Shannon,
then my guess can come true !

Massimo

Re: Blocking Network Access

Zeev Schultz — Fri, 06 Jun 2003 14:39:27 GMT

In addition to my previous reply (no points please) - read herehttp://www.docs.hp.com/hpux/onlinedocs/B9901-90009/B9901-90009.html
For example to allow ping and traceroute to your host write following rules:
pass in quick on lan0 proto icmp from any to 20.20.20.0/24 icmp-type 0
pass in quick on lan0 proto icmp from any to 20.20.20.0/24 icmp-type 11
That means icmp-type 0 for ping and type 11 for
traceroute.
Looks nice.

Zeev

Re: Blocking Network Access

Manjunath Shastry — Mon, 09 Jun 2003 13:44:13 GMT

Hi Gurus,

I tried with arp, hosts.deny, hosts.allow and inetd.sec and have failed. I have decided to give a try with tcpwrappers.

Let me hope for the best.

Regards,
Manjunath.

Re: Blocking Network Access

rick jones — Mon, 09 Jun 2003 16:53:06 GMT

I like the idea to put bogus ARP entries in _BOTH_ systems - simple and clever. That it appears to have failed is surprising to me - perhaps the systems were rebooted and there was no script to add-back the ARP stuff. That, or perhaps while the two systems are connected to the same switch fabric, they are not in the same _IP_ subnet? In that case, the comms would go through a router and it would be the router's IP to MAC translation being used.

Taking the ARP idea one step higher in the protocol stack, one could also try adding a specific host route on _each_ of the two systems that pointed to some non-existant IP address as a gateway (remember to use a metric of 1 in the route command and add it to the /etc/rc.config.d/netconf file.)

The one drawback to both the ARP and routing hacks is that they only work for IP. They will not preclude link-level (layer 2) connectivity between the two hosts.

The problem with TCP wrappers (and inetd.sec) is that only those things configured to use them will be affected. There will still be TCP, IP and Link-level connectivity between the two systems. Also, ping is not affected by inetd.sec, and I doubt by TCP wrappers.

That takes things back to either ipfilter, or settings in the switches. As there is often an unfortunate "firewalling" of the sysadmins from the network admins, if you are a sysadmin, it may be easier to install and configure ipfilter than to get the network admins to setup whatever the switches can do for MAC address filtering.

Re: Blocking Network Access

Shannon Petry — Mon, 09 Jun 2003 16:57:31 GMT

Maybe Rick can give an answer to this one....

Solaris and Linux have a nice feature built into the route command. They both accept...

route add "host_to_block" 0.0.0.0 0

It's such a simple method of blocking that it's used by some of the monitors (I use netwatch).

It's obvious from this thread that HP does not have an equivalant, but can we perhaps prod the dev's for something like it?

Regards,
Shannon

Re: Blocking Network Access

rick jones — Mon, 09 Jun 2003 17:57:53 GMT

I have confirmed that trying to route a host through 0.0.0.0 does not "work" on HP-UX 11i. Probably runs afould of the "next hop must be local" stuff. Nor does trying to route to 127.0.0.1, or an IP aliases to lo0.

A private IP aliased to the real interface could be used to allow the route to a bogus router IP if one didn't have a situation where there was a known to be unused local IP address.

I suppose that if enough folks filed ER's for a route to 0.0.0.0 blocking all IP access to a host it would be fine. That of course still does not deal with the issue of link-level connectivity, but I could see where it would be useful, and easier to do than ipfilter.

Re: Blocking Network Access

Caesar_3 — Mon, 09 Jun 2003 18:42:56 GMT

Hello!

You can install firewall on one or
both stations or put firewall between
the two stations.
The you could control all the network
for them.

Caesar