Operating System - OpenVMS
1748247 Members
3704 Online
108760 Solutions
New Discussion юеВ

Re: Blocking an IP address

 
SOLVED
Go to solution
Jack Trachtman
Super Advisor

Blocking an IP address

TCPIP V5.4 ECO 5

We have a simple TCPIP setup with no
routing or DNS enabled.

I would like to be able to dynamically
block Telnet access from a particular host.
By "dynamic", I mean that most of the time
that host would be allowed connect, but
occassionaly for a few hours that host would
not be allowed to connect (preferably with
no host response at all).

Suggestions? Thanks
11 REPLIES 11
Thomas Ritter
Respected Contributor

Re: Blocking an IP address

Wanting to block "dynamically" presents a problem with UCX. You need to stop, configure and restart and thereby affecting other connections. Firewalls are best for this type of activity. By stopping Telnet is it just a specific user you want to block or all Telnet access from that host. They still need VMS accounts to login. Maybe some SYSUAF restrictions, disuser, logintime restrictions ?

Thomas Ritter
Respected Contributor
Solution

Re: Blocking an IP address

Under UCX 5.4 you can modify the telnet service attributes by way of:

SET SERVICE Subtopic? /reject

SET

SERVICE

/REJECT

/REJECT {=[NO]HOSTS=(hosts) |=[NO]NETWORKS=(networks)
|=[NO]MESSAGE="text"] }

Optional. Default: No rejections if /ACCEPT is set to its default
(service all hosts).

o /REJECT=HOST=host denies host access to the service.

o /REJECT=NOHOST=host regrants host access to the service.

The following options are available.

Option Meaning

HOSTS=hosts Makes the service unavailable to the specified
hosts.

Maximum is 32.

Examples:

/REJECT=HOSTS=(host1_name,host2_name, host3_
address)

/REJECT=HOSTS=*


Maybe useful.
Ian Miller.
Honored Contributor

Re: Blocking an IP address

SET SERVICE TELNET/REJECT works but you have to disable and enable the service to make the change affective which disconnects all active connection. This may be an issue.
____________________
Purely Personal Opinion
Don Nutt
Advisor

Re: Blocking an IP address

Why not just add and delete a route to a black hole. By adding in the dynamic routing database it would would be lost during any reboot and not be maintained by the permanent routing datab ase. This would stop all IP connections from the affected client.

Since VMS does no support the route prohibit command, I have tried and used the following syntax. Target IP to prevent access=192.168.1.1

TCPIP> set route 192.168.1.1 /gateway=127.0.0.1

TCPIP> set noroute 192.168.1.1 /noconfirm

This prevents the target IP access over the physical IP connection. I know it is not the most elegant of solutions, however it has been effective for us.

Don
Wim Van den Wyngaert
Honored Contributor

Re: Blocking an IP address

Don,

He did mention telnet, not all traffic ...

Wim
Wim
Don Nutt
Advisor

Re: Blocking an IP address

Wim,

I realize that he stated Telnet only. However, if it is the one client, perhaps blocking the one client "with out" bouncing all the rest of the connections might be an alternative solution.

I rather provide the solution I chose than keep to myself and not help someone else out who might be folling the thread.


Don
Jan van den Ende
Honored Contributor

Re: Blocking an IP address

Jack,

from your Forum Profile:


I have assigned points to 290 of 315 responses to my questions.

This even includes 2004 threads.

Maybe you can find some time to do some assigning?

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

Mind, I do NOT say you necessarily need to give lots of points. It is fully up to _YOU_ to decide how many. If you consider an answer is not deserving any points, you can also assign 0 ( = zero ) points, and then that answer will no longer be counted as unassigned.
Consider, that every poster took at least the trouble of posting for you!

To easily find your streams with unassigned points, click your own name somewhere.
This will bring up your profile.
Near the bottom of that page, under the caption ├в My Question(s)├в you will find ├в questions or topics with unassigned points ├в Clicking that will give all, and only, your questions that still have unassigned postings.

Thanks on behalf of your Forum colleagues.

PS. ├в nothing personal in this. I try to post it to everyone with this kind of assignment ratio in this forum. If you have received a posting like this before ├в please do not take offence ├в none is intended!

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Jan van den Ende
Honored Contributor

Re: Blocking an IP address

Wim,

I find Don's answer quite useful for this type of problem. And it depends as much on the exact problem of the original topic whether his answer in this case IS the solution, or not.
I would rather get 3 -more-or-less-appropriate answers, of which one hits the bull's eye, than NOT getting the answers, because my understanding and/or my wording of the problem were next exact enough!

just my EUR 0,02

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Sebastian Bazley
Regular Advisor

Re: Blocking an IP address

Don:

Surely routing is only applied to outgoing connections, so would not stop the incoming telnet connections?