topic Re: Blocking an IP address in Operating System - OpenVMS

Blocking an IP address

Jack Trachtman — Mon, 02 Jan 2006 18:45:24 GMT

TCPIP V5.4 ECO 5

We have a simple TCPIP setup with no
routing or DNS enabled.

I would like to be able to dynamically
block Telnet access from a particular host.
By "dynamic", I mean that most of the time
that host would be allowed connect, but
occassionaly for a few hours that host would
not be allowed to connect (preferably with
no host response at all).

Suggestions? Thanks

Re: Blocking an IP address

Thomas Ritter — Mon, 02 Jan 2006 18:53:44 GMT

Wanting to block "dynamically" presents a problem with UCX. You need to stop, configure and restart and thereby affecting other connections. Firewalls are best for this type of activity. By stopping Telnet is it just a specific user you want to block or all Telnet access from that host. They still need VMS accounts to login. Maybe some SYSUAF restrictions, disuser, logintime restrictions ?

Re: Blocking an IP address

Thomas Ritter — Mon, 02 Jan 2006 19:06:04 GMT

Under UCX 5.4 you can modify the telnet service attributes by way of:

SET SERVICE Subtopic? /reject

SET

SERVICE

/REJECT

/REJECT {=[NO]HOSTS=(hosts) |=[NO]NETWORKS=(networks)
|=[NO]MESSAGE="text"] }

Optional. Default: No rejections if /ACCEPT is set to its default
(service all hosts).

o /REJECT=HOST=host denies host access to the service.

o /REJECT=NOHOST=host regrants host access to the service.

The following options are available.

Option Meaning

HOSTS=hosts Makes the service unavailable to the specified
hosts.

Maximum is 32.

Examples:

/REJECT=HOSTS=(host1_name,host2_name, host3_
address)

/REJECT=HOSTS=*

Maybe useful.

Re: Blocking an IP address

Ian Miller. — Tue, 03 Jan 2006 09:38:18 GMT

SET SERVICE TELNET/REJECT works but you have to disable and enable the service to make the change affective which disconnects all active connection. This may be an issue.

Re: Blocking an IP address

Don Nutt — Wed, 04 Jan 2006 09:46:22 GMT

Why not just add and delete a route to a black hole. By adding in the dynamic routing database it would would be lost during any reboot and not be maintained by the permanent routing datab ase. This would stop all IP connections from the affected client.

Since VMS does no support the route prohibit command, I have tried and used the following syntax. Target IP to prevent access=192.168.1.1

TCPIP> set route 192.168.1.1 /gateway=127.0.0.1

TCPIP> set noroute 192.168.1.1 /noconfirm

This prevents the target IP access over the physical IP connection. I know it is not the most elegant of solutions, however it has been effective for us.

Don

Re: Blocking an IP address

Wim Van den Wyngaert — Wed, 04 Jan 2006 10:14:26 GMT

Don,

He did mention telnet, not all traffic ...

Wim

Re: Blocking an IP address

Don Nutt — Thu, 05 Jan 2006 09:47:33 GMT

Wim,

I realize that he stated Telnet only. However, if it is the one client, perhaps blocking the one client "with out" bouncing all the rest of the connections might be an alternative solution.

I rather provide the solution I chose than keep to myself and not help someone else out who might be folling the thread.

Don

Re: Blocking an IP address

Jan van den Ende — Thu, 05 Jan 2006 13:49:11 GMT

Jack,

from your Forum Profile:

I have assigned points to 290 of 315 responses to my questions.

This even includes 2004 threads.

Maybe you can find some time to do some assigning?

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

Mind, I do NOT say you necessarily need to give lots of points. It is fully up to _YOU_ to decide how many. If you consider an answer is not deserving any points, you can also assign 0 ( = zero ) points, and then that answer will no longer be counted as unassigned.
Consider, that every poster took at least the trouble of posting for you!

To easily find your streams with unassigned points, click your own name somewhere.
This will bring up your profile.
Near the bottom of that page, under the caption â My Question(s)â you will find â questions or topics with unassigned points â Clicking that will give all, and only, your questions that still have unassigned postings.

Thanks on behalf of your Forum colleagues.

PS. â nothing personal in this. I try to post it to everyone with this kind of assignment ratio in this forum. If you have received a posting like this before â please do not take offence â none is intended!

Proost.

Have one on me.

jpe

Re: Blocking an IP address

Jan van den Ende — Thu, 05 Jan 2006 13:57:33 GMT

Wim,

I find Don's answer quite useful for this type of problem. And it depends as much on the exact problem of the original topic whether his answer in this case IS the solution, or not.
I would rather get 3 -more-or-less-appropriate answers, of which one hits the bull's eye, than NOT getting the answers, because my understanding and/or my wording of the problem were next exact enough!

just my EUR 0,02

Proost.

Have one on me.

jpe

Re: Blocking an IP address

Sebastian Bazley — Fri, 06 Jan 2006 12:12:45 GMT

Don:

Surely routing is only applied to outgoing connections, so would not stop the incoming telnet connections?

Re: Blocking an IP address

Don Nutt — Fri, 06 Jan 2006 13:38:27 GMT

Sebastian,

Since we are modifying the gateway for the client IP, we would only accept them on the specified gateway and not the default gateway.

We use specific gateway routing on one our systems sitting on a firewall. It is dual homed and not gated. Since Internal IP's would go out the firewall and then back into the server, we actually specfify the route to WE1 on /24 and /25 networks. Here is an example (I attached a txt file).

When specifing a client to the gatway of 127.0.0.1 (you have to use valid addresses for the command to take), you are esentially telling the host to not look and respond to any requests from the client other than on the specified gateway, in this case loopback (localhost). Since it is theoretically impossible for an exploit to compromise the integrity of OpenVMS by doing this, you have essentially blackholed the client from the server both inbound and outbound. As you can see that the routing rule of 172.20.78.0/25 was superseded as well. If you are uncomfortable using loopback, specify the gateway as a 3rd valid host that could not route the client. I have used 127.0.0.1 and 127.0.0.0 succesfully.

This was the easiest solution that allowed easy implementation from DCL without any potential user intervention.

Try it.

Don

Re: Blocking an IP address

Jack Trachtman — Mon, 06 Aug 2007 12:11:27 GMT

Thanks all