Operating System - OpenVMS
1748218 Members
4336 Online
108759 Solutions
New Discussion юеВ

Re: TCPIP port security (IP blacklist)

 
Dolezel Vaclav
Advisor

TCPIP port security (IP blacklist)

Hello.

Is there a way to defined (somewhere in TCPIP configuration) some IP address, which will not have access to specific port on OpenVMS? So far I didn't find anything. Thanks in advance.
12 REPLIES 12
Ananth S
Occasional Advisor

Re: TCPIP port security (IP blacklist)

does tcpip > set communication /reject=() meet your requirements ?
Steven Schweda
Honored Contributor

Re: TCPIP port security (IP blacklist)

> [...] to specific port [...]

TCPIP HELP SET SERVICE /REJECT


As usual, output from "TCPIP SHOW VERSION"
might be helpful.
Dolezel Vaclav
Advisor

Re: TCPIP port security (IP blacklist)

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
on a COMPAQ AlphaServer DS20E 833 MHz running OpenVMS V7.3-2


marsh_1
Honored Contributor

Re: TCPIP port security (IP blacklist)

hi,

stevens post still stands :-

tcpip> set service /reject=host=

tcpip> disab serv

tcpip > enab serv


fwiw

Steven Schweda
Honored Contributor

Re: TCPIP port security (IP blacklist)

And "ECO 7" is available, too (but I doubt
that it would make any difference on this
question).
Hoff
Honored Contributor

Re: TCPIP port security (IP blacklist)

Blocking IP subnet ranges?

No available TCP/IP Services software release for OpenVMS provides that capability.

OpenVMS V8.4 might change that, according to the last roadmap I checked; there was a firewall planned for that release. (Though the UI and the capabilities of that software firewall have not AFAIK been disclosed yet.)

In general, I prefer to use an external firewall with OpenVMS when connecting to an untrusted network.

Depending on the network traffic load involved with this OpenVMS box, these firewall boxes can be quite inexpensive and very effective.

And even a low-end firewall can easily block the problem CIDR ranges.

(The next "wrinkle" here tends to be the lack of a syslogd on OpenVMS, but that can be addressed in various ways. OpenVMS can be integrated with a syslog-based network, but it requires adding syslog client or syslogd daemon software to OpenVMS.)
Steven Schweda
Honored Contributor

Re: TCPIP port security (IP blacklist)

> Blocking IP subnet ranges?
>
> No available TCP/IP Services software
> release for OpenVMS provides that
> capability.

Hmmm. That's exactly how I would have
described

TCPIP SET SERVICE /REJECT = NETWORKS = [...]

For each network, you can optionally specify
the network mask. The default net mask equals
network's class number. For example, for
network 11.200.0.0., the default mask is
255.0.0.0.

Dosn't that qualify as some kind of IP subnet
range?

Of course,
Maximum is 16.
can be rather limiting.
Hoff
Honored Contributor

Re: TCPIP port security (IP blacklist)

OpenVMS does not offer an IP firewall.

Work for a while with ipfw or ipchains or a comparable-recent host-based firewall, or work with an external commercial mid-grade server firewall or a dual-NIC x86 open-source firewall (eg: m0n0wall or smoothwall), and call me back.

With most any of those solutions, hundreds or thousands of CIDR-based port-range blocks are trivial. Far more important (as you get into this stuff) are the adaptive firewall blocks; whether based on Spamhaus Zen DNSBL or otherwise. Static CIDR blocks aren't a practical solution with IPv4, much less with IPv6.

I do hope that the host-based firewall from the V8.4 roadmap is at least as capable as the ipchains firewall. That is, that the new firewall will have capabilities commensurate with the typical value of a target box running OpenVMS.
Richard J Maher
Trusted Contributor

Re: TCPIP port security (IP blacklist)

Hi Steve,

> OpenVMS does not offer an IP firewall.

Really?

This is what I have/had from one of the guys that wrote it: -

> BTW, delivery of IPSEC also provides
> host-based firewall capability, which
> is another important feature that would
> also be delayed if IPSEC is further
> delayed.

Are you now seperating (for the customer delivery expectations) IPsec and VMS firewall capabilities?

> I do hope that the host-based firewall
> from the V8.4 roadmap is at least as
> capable as the ipchains firewall.

Which V8.4 roadmap are you talking about???

IPsec and VMS firewall functionality were (after several prominant years) erased from the 8.4 (after the 8.3 :-( ) roadmap at the mere stroke of the pen. What say you now?

Cheers Richard Maher