HPE Community
Operating System - OpenVMS
1820892 Members
3892 Online
109628 Solutions
New Discussion юеВ

Restricting Advanced Server/Pathworks to one LAN

 
Derek Garson
Frequent Advisor

тАО04-04-2006 12:00 PM

тАО04-04-2006 12:00 PM

Restricting Advanced Server/Pathworks to one LAN

My Alpha has two ethernet controllers, EIA0 and EIB0. The two LANs in question have quite separate requirements and uses and I require Pathworks only to be accessible on EIA0.

I have defined PWRK$KNBDAEMON_DEVICE and _IPADDR, and the PWRK$KNBDAEMON_xxxxxx.LOG file appears to show it doing the right thing but

a) I can see that Pathworks has bound to port 139 on "all interfaces", and

b) I really can Map Network Drive from a PC connected to the second LAN (which will then show an established TCP/IP connection for port 139 on the second interface).

Log file referred to above shows

Tue Apr 4 21:31:09 2006 get_phys_addr: PWRK$KNBDAEMON_DEVICE is set to EIA0:
Tue Apr 4 21:31:09 2006 get_phys_addr: EIA2: PH Address: AA-00-04-XX-XX-XX
Tue Apr 4 21:31:09 2006 get_ip_addr: PWRK$KNBDAEMON_IPADDR is 192.168.1.X
Tue Apr 4 21:31:09 2006 IP Address: 192.168.1.X
Tue Apr 4 21:31:09 2006 ip_brdcst_address : 192.168.1.255

192.168.1.* is the first LAN and 192.168.2.* is the second LAN.

PROD SHOW PROD suggests that I am running Advanced Server 7.3-A4, which based on my reading should be a version good enough to have this functionality working.

Any hints as to whether I am misunderstanding how this is supposed to work / doing something wrong?
0 Kudos
Reply
6 REPLIES 6
David B Sneddon
Honored Contributor

тАО04-04-2006 07:06 PM

тАО04-04-2006 07:06 PM

Re: Restricting Advanced Server/Pathworks to one LAN

Derek,

What are the IP addresses and network masks of
the two interfaces?

Dave
0 Kudos
Reply
Derek Garson
Frequent Advisor

тАО04-05-2006 11:13 AM

тАО04-05-2006 11:13 AM

Re: Restricting Advanced Server/Pathworks to one LAN

Subnet masks are both 255.255.255.0 and host is .2 in each subnet.

PS Forgot to mention ... VMS version is V7.3-2 and IP implementation is MultiNet V5.0 Rev A-X.
0 Kudos
Reply
Jiri_5
Frequent Advisor

тАО04-05-2006 09:25 PM

тАО04-05-2006 09:25 PM

Re: Restricting Advanced Server/Pathworks to one LAN

Problem maybe in Advanced Server as such, it is listen on *.139



Jiri
0 Kudos
Reply
Paul Nunez
Respected Contributor

тАО04-06-2006 12:18 AM

тАО04-06-2006 12:18 AM

Re: Restricting Advanced Server/Pathworks to one LAN

Hi Derek,

There's no way in Advanced Server to restrict which interfaces it listens on. Perhaps there's some way to block access to UDP ports 137 and 138 and TCP port 139 on a specific interface with Multinet.?. Of course, a firewall could be employed as well.

The pwrk$knbdaemon logicals control which interface address Advanced Server sends back in response to name queries it receives. For example, if you have interfaces A and B and pwrk$knbdaemon "binds" to interface A, when a client sends a NetBIOS name query to Advanced Server (regardless of which interface it arrives on), in the response Advanced Server will indicate the Advanced Server's IP address is the address to which knbdaemon is bound - interface A in this example. Note this will only occur for clients which are on one of the subnets that the Advanced Server is on and only when such clients use broadcasts (rather than WINS or DNS) to resolve a name.

HTH,

Paul
0 Kudos
Reply
Derek Garson
Frequent Advisor

тАО04-11-2006 01:13 PM

тАО04-11-2006 01:13 PM

Re: Restricting Advanced Server/Pathworks to one LAN

Thanks for the explanation. A pity that I can't do what I want to do.

>Perhaps there's some way to block access to UDP ports 137 and 138 and TCP port 139 on a specific interface with Multinet?

Yes, there is. We will probably do that. There may be a modest performance loss in enabling that functionality. And in some respects we would prefer to have defence in depth i.e. both stop Pathworks listening where it shouldn't be listening *and* enable packet filtering on the restricted interface.

However there is a short-term reason not to do this that will become the subject of the next thread. (-:

>Of course, a firewall could be employed as well.

Yes, we could do that too (install a separate firewall). That would be somewhat disruptive though.

In fact we thought we were using the Alpha as something of a firewall in its own right i.e. separating the two subnets and controlling traffic between them, but Pathworks is at least in part defeating us.
0 Kudos
Reply
Paul Nunez
Respected Contributor

тАО06-01-2006 03:41 AM

тАО06-01-2006 03:41 AM

Re: Restricting Advanced Server/Pathworks to one LAN

I posted a reply to the other thread at:

http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1019004

that describes how to get Samba and Advanced Server running simultaneously on the same server...

Paul

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.