topic Re: Restricting Advanced Server/Pathworks to one LAN in Operating System - OpenVMS

Restricting Advanced Server/Pathworks to one LAN

Derek Garson — Tue, 04 Apr 2006 19:00:46 GMT

My Alpha has two ethernet controllers, EIA0 and EIB0. The two LANs in question have quite separate requirements and uses and I require Pathworks only to be accessible on EIA0.

I have defined PWRK$KNBDAEMON_DEVICE and _IPADDR, and the PWRK$KNBDAEMON_xxxxxx.LOG file appears to show it doing the right thing but

a) I can see that Pathworks has bound to port 139 on "all interfaces", and

b) I really can Map Network Drive from a PC connected to the second LAN (which will then show an established TCP/IP connection for port 139 on the second interface).

Log file referred to above shows

Tue Apr 4 21:31:09 2006 get_phys_addr: PWRK$KNBDAEMON_DEVICE is set to EIA0:
Tue Apr 4 21:31:09 2006 get_phys_addr: EIA2: PH Address: AA-00-04-XX-XX-XX
Tue Apr 4 21:31:09 2006 get_ip_addr: PWRK$KNBDAEMON_IPADDR is 192.168.1.X
Tue Apr 4 21:31:09 2006 IP Address: 192.168.1.X
Tue Apr 4 21:31:09 2006 ip_brdcst_address : 192.168.1.255

192.168.1.* is the first LAN and 192.168.2.* is the second LAN.

PROD SHOW PROD suggests that I am running Advanced Server 7.3-A4, which based on my reading should be a version good enough to have this functionality working.

Any hints as to whether I am misunderstanding how this is supposed to work / doing something wrong?

Re: Restricting Advanced Server/Pathworks to one LAN

David B Sneddon — Wed, 05 Apr 2006 02:06:06 GMT

Derek,

What are the IP addresses and network masks of
the two interfaces?

Dave

Re: Restricting Advanced Server/Pathworks to one LAN

Derek Garson — Wed, 05 Apr 2006 18:13:02 GMT

Subnet masks are both 255.255.255.0 and host is .2 in each subnet.

PS Forgot to mention ... VMS version is V7.3-2 and IP implementation is MultiNet V5.0 Rev A-X.

Re: Restricting Advanced Server/Pathworks to one LAN

Jiri_5 — Thu, 06 Apr 2006 04:25:55 GMT

Problem maybe in Advanced Server as such, it is listen on *.139

Jiri

Re: Restricting Advanced Server/Pathworks to one LAN

Paul Nunez — Thu, 06 Apr 2006 07:18:29 GMT

Hi Derek,

There's no way in Advanced Server to restrict which interfaces it listens on. Perhaps there's some way to block access to UDP ports 137 and 138 and TCP port 139 on a specific interface with Multinet.?. Of course, a firewall could be employed as well.

The pwrk$knbdaemon logicals control which interface address Advanced Server sends back in response to name queries it receives. For example, if you have interfaces A and B and pwrk$knbdaemon "binds" to interface A, when a client sends a NetBIOS name query to Advanced Server (regardless of which interface it arrives on), in the response Advanced Server will indicate the Advanced Server's IP address is the address to which knbdaemon is bound - interface A in this example. Note this will only occur for clients which are on one of the subnets that the Advanced Server is on and only when such clients use broadcasts (rather than WINS or DNS) to resolve a name.

HTH,

Paul

Re: Restricting Advanced Server/Pathworks to one LAN

Derek Garson — Tue, 11 Apr 2006 20:13:18 GMT

Thanks for the explanation. A pity that I can't do what I want to do.

>Perhaps there's some way to block access to UDP ports 137 and 138 and TCP port 139 on a specific interface with Multinet?

Yes, there is. We will probably do that. There may be a modest performance loss in enabling that functionality. And in some respects we would prefer to have defence in depth i.e. both stop Pathworks listening where it shouldn't be listening *and* enable packet filtering on the restricted interface.

However there is a short-term reason not to do this that will become the subject of the next thread. (-:

>Of course, a firewall could be employed as well.

Yes, we could do that too (install a separate firewall). That would be somewhat disruptive though.

In fact we thought we were using the Alpha as something of a firewall in its own right i.e. separating the two subnets and controlling traffic between them, but Pathworks is at least in part defeating us.

Re: Restricting Advanced Server/Pathworks to one LAN

Paul Nunez — Thu, 01 Jun 2006 10:41:21 GMT

I posted a reply to the other thread at:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1019004

that describes how to get Samba and Advanced Server running simultaneously on the same server...

Paul