https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759052#M583428 It's correct that inetd.sec does not support "per interface" filtering, but it works for me because I know what subnets are are connected to this lan card.<BR /><BR />So I did in inetd.sec:<BR /><BR />telnet deny 10.*<BR />http deny 193.*<BR /><BR />This enables me to block telnet requests arriving at lan card 10.43.181.222 and http requests arriving at 193.16.33.253<BR /><BR />But I'll have a look at your recomended links.<BR /><BR />Regards<BR />Rainer<BR /><BR /><BR /><BR /> <BR /> <BR /> Tue, 09 Jul 2002 14:12:58 GMT Rainer von Bongartz 2002-07-09T14:12:58Z https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759047#M583423 <BR />My hosts uses multiple lan cards with ip addresses in different networks<BR /><BR />lan0 : ip a.b.c.d<BR />lan1: ip w..x.y.z<BR /><BR />can I restrict different network access to this addresses, i.e. telnet should be allowed to a.b.c.d only while http should only be allowed to w.x.y.z<BR /><BR />Regards<BR />Rainer<BR /><BR /> Mon, 08 Jul 2002 06:04:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759047#M583423 Rainer von Bongartz 2002-07-08T06:04:21Z https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759048#M583424 Hi Rainer,<BR /><BR />You can restrict the traffic from your apache web server to certain IP's from within your apache httpd.conf file. Have a look here for <BR />virtual hosts.<BR /><A href="http://httpd.apache.org/docs/misc/FAQ.html" target="_blank">http://httpd.apache.org/docs/misc/FAQ.html</A><BR /><BR />If you wish to restrict telnet you will need to use something like ssh and have telnet turned off. <BR /><BR />Michael Mon, 08 Jul 2002 06:45:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759048#M583424 Michael Tully 2002-07-08T06:45:42Z https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759049#M583425 you can also look at inetd.sec: try man inetd.sec<BR /><BR /><BR />inetd.sec(4) inetd.sec(4)<BR /><BR /> NAME<BR /> inetd.sec - optional security file for inetd<BR /><BR /> DESCRIPTION<BR /> When inetd accepts a connection from a remote system, it checks the<BR /> address of the host requesting the service against the list of hosts<BR /> to be allowed or denied access to the specific service (see<BR /> inetd(1M)). The file inetd.sec allows the system administrator to<BR /> control which hosts (or networks in general) are allowed to use the<BR /> system remotely. This file constitutes an extra layer of security in<BR /> addition to the normal checks done by the services. It precedes the<BR /> security of the servers; that is, a server is not started by the<BR /> Internet daemon unless the host requesting the service is a valid host<BR /> according to inetd.sec.<BR /><BR /><BR /><BR /> Mon, 08 Jul 2002 07:09:55 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759049#M583425 Scott Van Kalken 2002-07-08T07:09:55Z https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759050#M583426 ok , the simplest way is indeed inetd.sec<BR />just add a line like :<BR /><BR /><BR />telnet allow ip-range<BR /><BR />http allow ip-range <BR /><BR />will effectively block any incomming request on that process to ip adresses comming from a different ip range , the allow hold an implicit deny any other range will be refused , however if you also want to prevent outgoing telnets (I don't think that is the case) you need a firewall type of applications which closes of the socket for telnet and http for defined ranges in outgoing traffic Mon, 08 Jul 2002 08:13:38 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759050#M583426 sven verhaegen 2002-07-08T08:13:38Z https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759051#M583427 I don't think inetd.sec supports "per interface" filtering. httpd.conf virtual address setup is rather arcane, and won't meet your telnet need, as noted.<BR /><BR />To have the box self-defend, you'll probably need a package like IPF (<A href="http://coombs.anu.edu.au/~avalon/ip-filter.html)" target="_blank">http://coombs.anu.edu.au/~avalon/ip-filter.html)</A><BR />or you might be able to do what you want with TCPWrappers<BR />(<A href="ftp://ftp.porcupine.org/pub/security)" target="_blank">ftp://ftp.porcupine.org/pub/security)</A><BR />Depending on what sort of router you have, the easiest thing to do might be to have the router do the filtering. Tue, 09 Jul 2002 13:59:21 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759051#M583427 W.C. Epperson 2002-07-09T13:59:21Z https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759052#M583428 It's correct that inetd.sec does not support "per interface" filtering, but it works for me because I know what subnets are are connected to this lan card.<BR /><BR />So I did in inetd.sec:<BR /><BR />telnet deny 10.*<BR />http deny 193.*<BR /><BR />This enables me to block telnet requests arriving at lan card 10.43.181.222 and http requests arriving at 193.16.33.253<BR /><BR />But I'll have a look at your recomended links.<BR /><BR />Regards<BR />Rainer<BR /><BR /><BR /><BR /> <BR /> <BR /> Tue, 09 Jul 2002 14:12:58 GMT https://community.hpe.com/t5/operating-system-hp-ux/restricting-network-access-on-two-lan-cards/m-p/2759052#M583428 Rainer von Bongartz 2002-07-09T14:12:58Z