- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Restrict FTP access by incoming and outgoing t...
Operating System - OpenVMS
1820100
Members
3490
Online
109608
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2009 05:41 PM
10-06-2009 05:41 PM
Restrict FTP access by incoming and outgoing traffic for the same remote machine
How to restrict FTP access by incoming and outgoing traffic for the same remote machine?
1. We have 2 machines 'john' and 'mary'.
2. We want to connect to 'john' from 'mary' for outgoing traffic but don't want anyone to connect to 'mary' from 'john' for incoming traffic.
3. It there a way to restrict FTP down to incoming and outgoing traffic instead of only restricting to remote machine IP?
1. We have 2 machines 'john' and 'mary'.
2. We want to connect to 'john' from 'mary' for outgoing traffic but don't want anyone to connect to 'mary' from 'john' for incoming traffic.
3. It there a way to restrict FTP down to incoming and outgoing traffic instead of only restricting to remote machine IP?
- Tags:
- ftp
5 REPLIES 5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-06-2009 07:25 PM
10-06-2009 07:25 PM
Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine
Define "incoming and outgoing traffic". Are
you worried about the direction in which the
data travel, or are you worried about which
system is being used as an FTP server?
Knowing nothing about whose IP software
you're using, it would be risky to suggest a
specific procedure, but, as an example, with
HP's TCPIP, one can use:
TCPIP SET SERVICE [ /ACCEPT | /REJECT ]
to control access from particular systems to
its FTP server.
After a normal FTP client-server connection
has been established, I suspect that you may
be left with file/directory access control as
the only way to prohibit particular
file-transfer activities.
If I could tell exactly what you're trying to
prohibit, then I might be able to suggest
something else.
you worried about the direction in which the
data travel, or are you worried about which
system is being used as an FTP server?
Knowing nothing about whose IP software
you're using, it would be risky to suggest a
specific procedure, but, as an example, with
HP's TCPIP, one can use:
TCPIP SET SERVICE [ /ACCEPT | /REJECT ]
to control access from particular systems to
its FTP server.
After a normal FTP client-server connection
has been established, I suspect that you may
be left with file/directory access control as
the only way to prohibit particular
file-transfer activities.
If I could tell exactly what you're trying to
prohibit, then I might be able to suggest
something else.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2009 01:36 AM
10-07-2009 01:36 AM
Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine
1. We are using FTP (Version 4.2) on ALPHA Machine with VMS 7.3-2
2. We havenâ t installed DECNET
3. It is our policy to only allow the production machine to connect to other machines through FTP but not vice versa. So, we need to find out how to allow a production machine to connect to other machines but other machines canâ t connect it back through FTP.
4. When the production machine connects to other machines, either â putâ or â getâ commands are allowed to use.
5. As advised by consultant, the command TCPIP SET SERVICE [ /ACCEPT | /REJECT ] can only set to machine level but canâ t down to incoming or outgoing level.
e.g. $ TCPIP SET SERVICE FTP /ACCEPT= NETWORK=(11.30.0.0:255.255.0.0,11.40.0.0)
2. We havenâ t installed DECNET
3. It is our policy to only allow the production machine to connect to other machines through FTP but not vice versa. So, we need to find out how to allow a production machine to connect to other machines but other machines canâ t connect it back through FTP.
4. When the production machine connects to other machines, either â putâ or â getâ commands are allowed to use.
5. As advised by consultant, the command TCPIP SET SERVICE [ /ACCEPT | /REJECT ] can only set to machine level but canâ t down to incoming or outgoing level.
e.g. $ TCPIP SET SERVICE FTP /ACCEPT= NETWORK=(11.30.0.0:255.255.0.0,11.40.0.0)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2009 01:40 AM
10-07-2009 01:40 AM
Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine
Why not just stop the 'FTP Server' and leave the 'FTP client' enabled ?
Use @SYS$MANAGER:TCPIP$CONFIG to change your TCPIP config.
Volker.
Use @SYS$MANAGER:TCPIP$CONFIG to change your TCPIP config.
Volker.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2009 02:24 AM
10-07-2009 02:24 AM
Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine
In terms of the protocol, ftp is both an incoming and an outgoing connection. With an active-mode ftp connection, the client establishes a connection to the server, and the server establishes a connection back to the client. Which means you'll need a passive-mode connection, if you want to have a firewall enforce connection "directionality."
Use an IP stack with a software firewall (not TCP/IP Services), or use an external hardware firewall or a local managed LAN, or shut down the ftp daemon and most of the daemons on the server, or determine and deny incoming access via explicit policy checks in SYLOGIN.COM or LOGIN.COM or such.
An external hardware firewall or managed LAN (if you're using TCP/IP Services) is usually the easiest. There are firewall benchmarks around if you're slamming substantial bits through the LAN.
(The version of TCP/IP Services with V8.4 (c. 2010H1) was reported to have a firewall per earlier roadmaps, but that feature seems to have been dropped from the roadmap version I just checked.)
I'll presume you know that ftp sends your authentication credentials in cleartext:
http://labs.hoffmanlabs.com/node/530
And for completeness and for ease of DCL programming, the requisite pointer to the COPY /FTP topic:
http://labs.hoffmanlabs.com/node/136
Stephen Hoffman
HoffmanLabs LLC
Use an IP stack with a software firewall (not TCP/IP Services), or use an external hardware firewall or a local managed LAN, or shut down the ftp daemon and most of the daemons on the server, or determine and deny incoming access via explicit policy checks in SYLOGIN.COM or LOGIN.COM or such.
An external hardware firewall or managed LAN (if you're using TCP/IP Services) is usually the easiest. There are firewall benchmarks around if you're slamming substantial bits through the LAN.
(The version of TCP/IP Services with V8.4 (c. 2010H1) was reported to have a firewall per earlier roadmaps, but that feature seems to have been dropped from the roadmap version I just checked.)
I'll presume you know that ftp sends your authentication credentials in cleartext:
http://labs.hoffmanlabs.com/node/530
And for completeness and for ease of DCL programming, the requisite pointer to the COPY /FTP topic:
http://labs.hoffmanlabs.com/node/136
Stephen Hoffman
HoffmanLabs LLC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2009 05:19 AM
10-07-2009 05:19 AM
Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine
> 1. We are using FTP (Version 4.2) on ALPHA
> Machine with VMS 7.3-2
As usual, showing actual commands with their
actual output might be more helpful than
vague descriptions and interpretations. For
some hints on how one might identify one's IP
software, see, for example:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1376469
"FTP (Version 4.2)" doesn't say whose FTP it
is.
> 5. As advised by consultant, the command
> TCPIP SET SERVICE [ /ACCEPT | /REJECT ] can
> only set to machine level but canâ  t down to
> incoming or outgoing level.
Your consultant or I may be confused, but I'd
say that if the "production machine" rejects
FTP connections from all the "other
machines", then they won't be able to make
FTP connections to the "production machine",
which sounds to me exactly like what you say
you want.
Whether "TCPIP SET SERVICE" is the command to
use depends on whether you're running HP's
TCPIP product or some other IP product, which
is still a mystery to me.
For example, around here:
ALP $ tcpip show version
HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
IT $ tcpip show version
HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.6 - ECO 2
on an HP zx2000 (1.50GHz/6.0MB) running OpenVMS V8.3-1H1
IT $ ftp alp-l ! (The local name for "alp".)
220- Antinode FTP Server. Please be nice.
220 alp.antinode.info FTP Server (Version 5.4) Ready.
Connected to alp.
Name (alp:system):
331 Username system requires a Password
Password:
230 User logged in.
FTP> quit
221 Goodbye.
IT $
So, FTP from node IT works as expected.
ALP $ tcpip set service ftp /reject = host = it
ALP $ tcpip disable service ftp
ALP $ tcpip enable service ftp
And now it's prohibited.
IT $ ftp alp-l
%TCPIP-E-FTP_NETERR, I/O error on network device
-SYSTEM-F-REJECT, connect to network object rejected
IT $
And now it fails, as expected.
That sure seems to stop an incoming FTP
connection from that host.
In the other direction:
ALP $ ftp it
220- Antinode FTP Server. Please be nice.
220 it.antinode.info FTP Server (Version 5.6) Ready.
Connected to it.antinode.info.
Name (it.antinode.info:system):
331 Username system requires a Password
Password:
230 User logged in.
FTP> quit
221 Goodbye.
ALP $
Still happy as a bivalve.
> Machine with VMS 7.3-2
As usual, showing actual commands with their
actual output might be more helpful than
vague descriptions and interpretations. For
some hints on how one might identify one's IP
software, see, for example:
http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1376469
"FTP (Version 4.2)" doesn't say whose FTP it
is.
> 5. As advised by consultant, the command
> TCPIP SET SERVICE [ /ACCEPT | /REJECT ] can
> only set to machine level but canâ  t down to
> incoming or outgoing level.
Your consultant or I may be confused, but I'd
say that if the "production machine" rejects
FTP connections from all the "other
machines", then they won't be able to make
FTP connections to the "production machine",
which sounds to me exactly like what you say
you want.
Whether "TCPIP SET SERVICE" is the command to
use depends on whether you're running HP's
TCPIP product or some other IP product, which
is still a mystery to me.
For example, around here:
ALP $ tcpip show version
HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2
IT $ tcpip show version
HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.6 - ECO 2
on an HP zx2000 (1.50GHz/6.0MB) running OpenVMS V8.3-1H1
IT $ ftp alp-l ! (The local name for "alp".)
220- Antinode FTP Server. Please be nice.
220 alp.antinode.info FTP Server (Version 5.4) Ready.
Connected to alp.
Name (alp:system):
331 Username system requires a Password
Password:
230 User logged in.
FTP> quit
221 Goodbye.
IT $
So, FTP from node IT works as expected.
ALP $ tcpip set service ftp /reject = host = it
ALP $ tcpip disable service ftp
ALP $ tcpip enable service ftp
And now it's prohibited.
IT $ ftp alp-l
%TCPIP-E-FTP_NETERR, I/O error on network device
-SYSTEM-F-REJECT, connect to network object rejected
IT $
And now it fails, as expected.
That sure seems to stop an incoming FTP
connection from that host.
In the other direction:
ALP $ ftp it
220- Antinode FTP Server. Please be nice.
220 it.antinode.info FTP Server (Version 5.6) Ready.
Connected to it.antinode.info.
Name (it.antinode.info:system):
331 Username system requires a Password
Password:
230 User logged in.
FTP> quit
221 Goodbye.
ALP $
Still happy as a bivalve.
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Learn About
News and Events
Support
© Copyright 2025 Hewlett Packard Enterprise Development LP