Operating System - OpenVMS
1748180 Members
4248 Online
108759 Solutions
New Discussion юеВ

Restrict FTP access by incoming and outgoing traffic for the same remote machine

 
cckcwong
Occasional Contributor

Restrict FTP access by incoming and outgoing traffic for the same remote machine

How to restrict FTP access by incoming and outgoing traffic for the same remote machine?

1. We have 2 machines 'john' and 'mary'.
2. We want to connect to 'john' from 'mary' for outgoing traffic but don't want anyone to connect to 'mary' from 'john' for incoming traffic.
3. It there a way to restrict FTP down to incoming and outgoing traffic instead of only restricting to remote machine IP?
5 REPLIES 5
Steven Schweda
Honored Contributor

Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine

Define "incoming and outgoing traffic". Are
you worried about the direction in which the
data travel, or are you worried about which
system is being used as an FTP server?

Knowing nothing about whose IP software
you're using, it would be risky to suggest a
specific procedure, but, as an example, with
HP's TCPIP, one can use:

TCPIP SET SERVICE [ /ACCEPT | /REJECT ]

to control access from particular systems to
its FTP server.

After a normal FTP client-server connection
has been established, I suspect that you may
be left with file/directory access control as
the only way to prohibit particular
file-transfer activities.

If I could tell exactly what you're trying to
prohibit, then I might be able to suggest
something else.
cckcwong
Occasional Contributor

Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine

1. We are using FTP (Version 4.2) on ALPHA Machine with VMS 7.3-2
2. We haven├в t installed DECNET
3. It is our policy to only allow the production machine to connect to other machines through FTP but not vice versa. So, we need to find out how to allow a production machine to connect to other machines but other machines can├в t connect it back through FTP.
4. When the production machine connects to other machines, either ├в put├в or ├в get├в commands are allowed to use.
5. As advised by consultant, the command TCPIP SET SERVICE [ /ACCEPT | /REJECT ] can only set to machine level but can├в t down to incoming or outgoing level.
e.g. $ TCPIP SET SERVICE FTP /ACCEPT= NETWORK=(11.30.0.0:255.255.0.0,11.40.0.0)
Volker Halle
Honored Contributor

Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine

Why not just stop the 'FTP Server' and leave the 'FTP client' enabled ?

Use @SYS$MANAGER:TCPIP$CONFIG to change your TCPIP config.

Volker.
Hoff
Honored Contributor

Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine

In terms of the protocol, ftp is both an incoming and an outgoing connection. With an active-mode ftp connection, the client establishes a connection to the server, and the server establishes a connection back to the client. Which means you'll need a passive-mode connection, if you want to have a firewall enforce connection "directionality."

Use an IP stack with a software firewall (not TCP/IP Services), or use an external hardware firewall or a local managed LAN, or shut down the ftp daemon and most of the daemons on the server, or determine and deny incoming access via explicit policy checks in SYLOGIN.COM or LOGIN.COM or such.

An external hardware firewall or managed LAN (if you're using TCP/IP Services) is usually the easiest. There are firewall benchmarks around if you're slamming substantial bits through the LAN.

(The version of TCP/IP Services with V8.4 (c. 2010H1) was reported to have a firewall per earlier roadmaps, but that feature seems to have been dropped from the roadmap version I just checked.)

I'll presume you know that ftp sends your authentication credentials in cleartext:

http://labs.hoffmanlabs.com/node/530

And for completeness and for ease of DCL programming, the requisite pointer to the COPY /FTP topic:

http://labs.hoffmanlabs.com/node/136

Stephen Hoffman
HoffmanLabs LLC
Steven Schweda
Honored Contributor

Re: Restrict FTP access by incoming and outgoing traffic for the same remote machine

> 1. We are using FTP (Version 4.2) on ALPHA
> Machine with VMS 7.3-2

As usual, showing actual commands with their
actual output might be more helpful than
vague descriptions and interpretations. For
some hints on how one might identify one's IP
software, see, for example:

http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1376469

"FTP (Version 4.2)" doesn't say whose FTP it
is.

> 5. As advised by consultant, the command
> TCPIP SET SERVICE [ /ACCEPT | /REJECT ] can
> only set to machine level but can├Г┬в├В ├В t down to
> incoming or outgoing level.

Your consultant or I may be confused, but I'd
say that if the "production machine" rejects
FTP connections from all the "other
machines", then they won't be able to make
FTP connections to the "production machine",
which sounds to me exactly like what you say
you want.

Whether "TCPIP SET SERVICE" is the command to
use depends on whether you're running HP's
TCPIP product or some other IP product, which
is still a mystery to me.

For example, around here:

ALP $ tcpip show version

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 7
on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2

IT $ tcpip show version

HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.6 - ECO 2
on an HP zx2000 (1.50GHz/6.0MB) running OpenVMS V8.3-1H1


IT $ ftp alp-l ! (The local name for "alp".)
220- Antinode FTP Server. Please be nice.
220 alp.antinode.info FTP Server (Version 5.4) Ready.
Connected to alp.
Name (alp:system):
331 Username system requires a Password
Password:
230 User logged in.
FTP> quit
221 Goodbye.
IT $

So, FTP from node IT works as expected.

ALP $ tcpip set service ftp /reject = host = it
ALP $ tcpip disable service ftp
ALP $ tcpip enable service ftp

And now it's prohibited.

IT $ ftp alp-l
%TCPIP-E-FTP_NETERR, I/O error on network device
-SYSTEM-F-REJECT, connect to network object rejected
IT $

And now it fails, as expected.

That sure seems to stop an incoming FTP
connection from that host.

In the other direction:

ALP $ ftp it
220- Antinode FTP Server. Please be nice.
220 it.antinode.info FTP Server (Version 5.6) Ready.
Connected to it.antinode.info.
Name (it.antinode.info:system):
331 Username system requires a Password
Password:
230 User logged in.
FTP> quit
221 Goodbye.
ALP $

Still happy as a bivalve.