- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Blocking of a server from another on same segment
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2004 09:11 PM
тАО09-12-2004 09:11 PM
Blocking of a server from another on same segment
I have 2 segments, each with several servers, and isolated from each other using ACLs on the router.
Now, I need to perform a test for which I need 1 server from Segment A to be accessible to one or more servers from Segment B. This I have got my networking team to do.
Also, I need this server to be isolated from one or more servers from the same segment i.e Segment A.
Since they are from the same segment, I understand there is no networking equipment involved in any reconfiguration. So, I believe there must be some reconfig done on the OS.
BTW, I still require access from other segments (eg. my PC) to the servers.
Hope someone can help enhance my knowledge, thanx.
Rgds,
Shahril
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2004 09:19 PM
тАО09-12-2004 09:19 PM
Re: Blocking of a server from another on same segment
inetd.sec - optional security file for inetd
man inetd.sec
Regards
Rainer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2004 09:56 PM
тАО09-12-2004 09:56 PM
Re: Blocking of a server from another on same segment
I looked at inetd.sec before, but what service do I specify? Do I have to specify everything that is listed in /etc/services?
As I understand, there is no wildcard option for the service column.
Rgds,
Shahril
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2004 10:18 PM
тАО09-12-2004 10:18 PM
Re: Blocking of a server from another on same segment
as an alternative to your needs you might look at IPFilter from HP, which comes for free
http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA
Regards
Rainer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-12-2004 11:03 PM
тАО09-12-2004 11:03 PM
Re: Blocking of a server from another on same segment
Thanx for the link to IPFilter.
Unfortunately, this is not a viable solution for me now as I do not have the luxury of a reboot at this time. Also, there are a few patch dependencies, for which I have yet to check whether I am short.
In any case, this seems quite a sizeable task given the short duration of the test I wanted to conduct.
Hope you can think of some other simpler solution.
My last resort is to conduct the test past midnight.
Rgds,
Shahril
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-13-2004 12:29 AM
тАО09-13-2004 12:29 AM
Re: Blocking of a server from another on same segment
i.e.
route add
this way, server A will try to connect to server B using the gateway
This invalid gateway might be some not used IP-Address on your network.
Give this a try but dont't blame me for this 'dirty' solution.
Regards
Rainer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-13-2004 01:06 PM
тАО09-13-2004 01:06 PM
Re: Blocking of a server from another on same segment
I would call your idea a creative one, not a dirty one.
Anyway, (now correct me if I am wrong) if this is done on Server A, it would merely block access _from_ Server A _to_ Server B. Packets can still travel _from_ Server B _to_ Server A.
If so, in order to prevent data _from_ Server B to accidentally reach Server A, I would have to change the routing table entries in Server B, right? And supposing I have tens of servers like Server B, I would have to do this tens of times.
In any case, I would prefer no changes on Server B, but only on Server A.
Well, your creativity may have rubbed off to me a bit. Well, it's not really that creative, but could you help me assess how viable it would be if I simply change the IP address on Server A to something else. Are there any side-effects I failed to identify?
Hope you can help because my networking skills are still not up to par.
Rgds,
Shahril
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 11:14 AM
тАО09-14-2004 11:14 AM
Re: Blocking of a server from another on same segment
Ranier's solution should work for you if
a. You do not have dead gateway detection turned on (on by default in 11.0)
This you can turn off with
ndd -set /dev/ip ip_ire_gw_probe 0
b. The data you are worried about is TCP.
If A cannot reply to B then TCP can not establish a connection so no data can pass between them. If we are talking about UDP then it will receive data from B but won't reply.
c. You add a metric of 1 after the route statement. Otherwise it will either refuse the route or ARP for the MAC of B and get it. The 1 will tell it that the gateway is external to itself so it arp for the gateway's address and fail.
d. HPUX does not ignore your route. In theory the best match should be used but I've never tried it. It does work on a Cisco router tho.
If you change the address of A then no one can talk to it unless you tell the DNS and then everybody including B will find it. (if the data is UDP broadcast then it won't matter what IP address it has) Better to just unplug the network cable for the duration of the test or logon to the switch and shutdown A's port or put it in a different VLAN. If you had one of the HP switches with the Isolated Port Group feature you could use that feature to split them apart.
Ron
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 12:26 PM
тАО09-14-2004 12:26 PM
Re: Blocking of a server from another on same segment
Thanx for your tips, I will try it out.
As for the address change, of course I will use explicit IP address for connections and not even use /etc/hosts.
I will find out more about VLANs too.
Rgds,
Shahril
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-14-2004 02:55 PM
тАО09-14-2004 02:55 PM
Re: Blocking of a server from another on same segment
What I have eventually done is to turn off DNS via /etc/nsswitch.conf, and comment out the entry for Server A in /etc/hosts of Server B.
I will leave this thread open for your further comments and suggestions for the time being.
Rgds,
Shahril
ps. rest of the points will come in after I finish my tests