- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: TCPIP port security (IP blacklist)
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2009 05:29 AM
тАО07-21-2009 05:29 AM
TCPIP port security (IP blacklist)
Is there a way to defined (somewhere in TCPIP configuration) some IP address, which will not have access to specific port on OpenVMS? So far I didn't find anything. Thanks in advance.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2009 05:42 AM
тАО07-21-2009 05:42 AM
Re: TCPIP port security (IP blacklist)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2009 05:45 AM
тАО07-21-2009 05:45 AM
Re: TCPIP port security (IP blacklist)
TCPIP HELP SET SERVICE /REJECT
As usual, output from "TCPIP SHOW VERSION"
might be helpful.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2009 06:04 AM
тАО07-21-2009 06:04 AM
Re: TCPIP port security (IP blacklist)
on a COMPAQ AlphaServer DS20E 833 MHz running OpenVMS V7.3-2
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2009 06:17 AM
тАО07-21-2009 06:17 AM
Re: TCPIP port security (IP blacklist)
stevens post still stands :-
tcpip> set service
tcpip> disab serv
tcpip > enab serv
fwiw
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2009 06:25 AM
тАО07-21-2009 06:25 AM
Re: TCPIP port security (IP blacklist)
that it would make any difference on this
question).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2009 06:37 AM
тАО07-21-2009 06:37 AM
Re: TCPIP port security (IP blacklist)
No available TCP/IP Services software release for OpenVMS provides that capability.
OpenVMS V8.4 might change that, according to the last roadmap I checked; there was a firewall planned for that release. (Though the UI and the capabilities of that software firewall have not AFAIK been disclosed yet.)
In general, I prefer to use an external firewall with OpenVMS when connecting to an untrusted network.
Depending on the network traffic load involved with this OpenVMS box, these firewall boxes can be quite inexpensive and very effective.
And even a low-end firewall can easily block the problem CIDR ranges.
(The next "wrinkle" here tends to be the lack of a syslogd on OpenVMS, but that can be addressed in various ways. OpenVMS can be integrated with a syslog-based network, but it requires adding syslog client or syslogd daemon software to OpenVMS.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2009 06:48 AM
тАО07-21-2009 06:48 AM
Re: TCPIP port security (IP blacklist)
>
> No available TCP/IP Services software
> release for OpenVMS provides that
> capability.
Hmmm. That's exactly how I would have
described
TCPIP SET SERVICE /REJECT = NETWORKS = [...]
For each network, you can optionally specify
the network mask. The default net mask equals
network's class number. For example, for
network 11.200.0.0., the default mask is
255.0.0.0.
Dosn't that qualify as some kind of IP subnet
range?
Of course,
Maximum is 16.
can be rather limiting.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-21-2009 07:34 AM
тАО07-21-2009 07:34 AM
Re: TCPIP port security (IP blacklist)
Work for a while with ipfw or ipchains or a comparable-recent host-based firewall, or work with an external commercial mid-grade server firewall or a dual-NIC x86 open-source firewall (eg: m0n0wall or smoothwall), and call me back.
With most any of those solutions, hundreds or thousands of CIDR-based port-range blocks are trivial. Far more important (as you get into this stuff) are the adaptive firewall blocks; whether based on Spamhaus Zen DNSBL or otherwise. Static CIDR blocks aren't a practical solution with IPv4, much less with IPv6.
I do hope that the host-based firewall from the V8.4 roadmap is at least as capable as the ipchains firewall. That is, that the new firewall will have capabilities commensurate with the typical value of a target box running OpenVMS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО07-22-2009 03:59 AM
тАО07-22-2009 03:59 AM
Re: TCPIP port security (IP blacklist)
> OpenVMS does not offer an IP firewall.
Really?
This is what I have/had from one of the guys that wrote it: -
> BTW, delivery of IPSEC also provides
> host-based firewall capability, which
> is another important feature that would
> also be delayed if IPSEC is further
> delayed.
Are you now seperating (for the customer delivery expectations) IPsec and VMS firewall capabilities?
> I do hope that the host-based firewall
> from the V8.4 roadmap is at least as
> capable as the ipchains firewall.
Which V8.4 roadmap are you talking about???
IPsec and VMS firewall functionality were (after several prominant years) erased from the 8.4 (after the 8.3 :-( ) roadmap at the mere stroke of the pen. What say you now?
Cheers Richard Maher