Operating System - HP-UX
1748170 Members
3997 Online
108758 Solutions
New Discussion юеВ

Blocking of a server from another on same segment

 
Shahril M
Frequent Advisor

Blocking of a server from another on same segment

Hi folks,

I have 2 segments, each with several servers, and isolated from each other using ACLs on the router.

Now, I need to perform a test for which I need 1 server from Segment A to be accessible to one or more servers from Segment B. This I have got my networking team to do.

Also, I need this server to be isolated from one or more servers from the same segment i.e Segment A.

Since they are from the same segment, I understand there is no networking equipment involved in any reconfiguration. So, I believe there must be some reconfig done on the OS.

BTW, I still require access from other segments (eg. my PC) to the servers.

Hope someone can help enhance my knowledge, thanx.


Rgds,
Shahril
10 REPLIES 10
Rainer von Bongartz
Honored Contributor

Re: Blocking of a server from another on same segment

take a look at inetd.sec

inetd.sec - optional security file for inetd

man inetd.sec

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Shahril M
Frequent Advisor

Re: Blocking of a server from another on same segment

Hi Rainer,

I looked at inetd.sec before, but what service do I specify? Do I have to specify everything that is listed in /etc/services?

As I understand, there is no wildcard option for the service column.


Rgds,
Shahril
Rainer von Bongartz
Honored Contributor

Re: Blocking of a server from another on same segment

right, you can't use wildcards for the services

as an alternative to your needs you might look at IPFilter from HP, which comes for free

http://software.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B9901AA

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Shahril M
Frequent Advisor

Re: Blocking of a server from another on same segment

Hi Rainer,

Thanx for the link to IPFilter.

Unfortunately, this is not a viable solution for me now as I do not have the luxury of a reboot at this time. Also, there are a few patch dependencies, for which I have yet to check whether I am short.

In any case, this seems quite a sizeable task given the short duration of the test I wanted to conduct.

Hope you can think of some other simpler solution.

My last resort is to conduct the test past midnight.


Rgds,
Shahril
Rainer von Bongartz
Honored Contributor

Re: Blocking of a server from another on same segment

you could try to specify invalid routes on server A, so that server a cannot talk to server B.

i.e.

route add

this way, server A will try to connect to server B using the gateway and will fail. So you git temporarily blcked A from B.

This invalid gateway might be some not used IP-Address on your network.

Give this a try but dont't blame me for this 'dirty' solution.

Regards
Rainer
He's a real UNIX Man, sitting in his UNIX LAN making all his UNIX plans for nobody ...
Shahril M
Frequent Advisor

Re: Blocking of a server from another on same segment

Hi Rainer,

I would call your idea a creative one, not a dirty one.

Anyway, (now correct me if I am wrong) if this is done on Server A, it would merely block access _from_ Server A _to_ Server B. Packets can still travel _from_ Server B _to_ Server A.

If so, in order to prevent data _from_ Server B to accidentally reach Server A, I would have to change the routing table entries in Server B, right? And supposing I have tens of servers like Server B, I would have to do this tens of times.

In any case, I would prefer no changes on Server B, but only on Server A.

Well, your creativity may have rubbed off to me a bit. Well, it's not really that creative, but could you help me assess how viable it would be if I simply change the IP address on Server A to something else. Are there any side-effects I failed to identify?

Hope you can help because my networking skills are still not up to par.


Rgds,
Shahril
Ron Kinner
Honored Contributor

Re: Blocking of a server from another on same segment

Sharil,

Ranier's solution should work for you if

a. You do not have dead gateway detection turned on (on by default in 11.0)

This you can turn off with

ndd -set /dev/ip ip_ire_gw_probe 0

b. The data you are worried about is TCP.
If A cannot reply to B then TCP can not establish a connection so no data can pass between them. If we are talking about UDP then it will receive data from B but won't reply.

c. You add a metric of 1 after the route statement. Otherwise it will either refuse the route or ARP for the MAC of B and get it. The 1 will tell it that the gateway is external to itself so it arp for the gateway's address and fail.

d. HPUX does not ignore your route. In theory the best match should be used but I've never tried it. It does work on a Cisco router tho.

If you change the address of A then no one can talk to it unless you tell the DNS and then everybody including B will find it. (if the data is UDP broadcast then it won't matter what IP address it has) Better to just unplug the network cable for the duration of the test or logon to the switch and shutdown A's port or put it in a different VLAN. If you had one of the HP switches with the Isolated Port Group feature you could use that feature to split them apart.

Ron
Shahril M
Frequent Advisor

Re: Blocking of a server from another on same segment

Hi Ron,

Thanx for your tips, I will try it out.

As for the address change, of course I will use explicit IP address for connections and not even use /etc/hosts.

I will find out more about VLANs too.


Rgds,
Shahril
Shahril M
Frequent Advisor

Re: Blocking of a server from another on same segment

Hi Rainer, Ron and others,

What I have eventually done is to turn off DNS via /etc/nsswitch.conf, and comment out the entry for Server A in /etc/hosts of Server B.

I will leave this thread open for your further comments and suggestions for the time being.


Rgds,
Shahril
ps. rest of the points will come in after I finish my tests