TCPIP port security (IP blacklist) (797 Views)
Reply
Advisor
Dolezel Vaclav
Posts: 33
Registered: ‎08-22-2008
Message 1 of 13 (797 Views)

TCPIP port security (IP blacklist)

Hello.

Is there a way to defined (somewhere in TCPIP configuration) some IP address, which will not have access to specific port on OpenVMS? So far I didn't find anything. Thanks in advance.
Occasional Advisor
Ananth S
Posts: 7
Registered: ‎07-01-2009
Message 2 of 13 (797 Views)

Re: TCPIP port security (IP blacklist)

does tcpip > set communication /reject=() meet your requirements ?
Honored Contributor
Steven Schweda
Posts: 9,096
Registered: ‎02-23-2005
Message 3 of 13 (797 Views)

Re: TCPIP port security (IP blacklist)

> [...] to specific port [...]

TCPIP HELP SET SERVICE /REJECT


As usual, output from "TCPIP SHOW VERSION"
might be helpful.
Advisor
Dolezel Vaclav
Posts: 33
Registered: ‎08-22-2008
Message 4 of 13 (797 Views)

Re: TCPIP port security (IP blacklist)

HP TCP/IP Services for OpenVMS Alpha Version V5.4 - ECO 6
on a COMPAQ AlphaServer DS20E 833 MHz running OpenVMS V7.3-2


Honored Contributor
marsh_1
Posts: 986
Registered: ‎03-25-2004
Message 5 of 13 (797 Views)

Re: TCPIP port security (IP blacklist)

hi,

stevens post still stands :-

tcpip> set service /reject=host=

tcpip> disab serv

tcpip > enab serv


fwiw

Honored Contributor
Steven Schweda
Posts: 9,096
Registered: ‎02-23-2005
Message 6 of 13 (797 Views)

Re: TCPIP port security (IP blacklist)

And "ECO 7" is available, too (but I doubt
that it would make any difference on this
question).
Honored Contributor
Hoff
Posts: 4,962
Registered: ‎01-29-2006
Message 7 of 13 (797 Views)

Re: TCPIP port security (IP blacklist)

Blocking IP subnet ranges?

No available TCP/IP Services software release for OpenVMS provides that capability.

OpenVMS V8.4 might change that, according to the last roadmap I checked; there was a firewall planned for that release. (Though the UI and the capabilities of that software firewall have not AFAIK been disclosed yet.)

In general, I prefer to use an external firewall with OpenVMS when connecting to an untrusted network.

Depending on the network traffic load involved with this OpenVMS box, these firewall boxes can be quite inexpensive and very effective.

And even a low-end firewall can easily block the problem CIDR ranges.

(The next "wrinkle" here tends to be the lack of a syslogd on OpenVMS, but that can be addressed in various ways. OpenVMS can be integrated with a syslog-based network, but it requires adding syslog client or syslogd daemon software to OpenVMS.)
Honored Contributor
Steven Schweda
Posts: 9,096
Registered: ‎02-23-2005
Message 8 of 13 (797 Views)

Re: TCPIP port security (IP blacklist)

> Blocking IP subnet ranges?
>
> No available TCP/IP Services software
> release for OpenVMS provides that
> capability.

Hmmm. That's exactly how I would have
described

TCPIP SET SERVICE /REJECT = NETWORKS = [...]

For each network, you can optionally specify
the network mask. The default net mask equals
network's class number. For example, for
network 11.200.0.0., the default mask is
255.0.0.0.

Dosn't that qualify as some kind of IP subnet
range?

Of course,
Maximum is 16.
can be rather limiting.
Honored Contributor
Hoff
Posts: 4,962
Registered: ‎01-29-2006
Message 9 of 13 (797 Views)

Re: TCPIP port security (IP blacklist)

OpenVMS does not offer an IP firewall.

Work for a while with ipfw or ipchains or a comparable-recent host-based firewall, or work with an external commercial mid-grade server firewall or a dual-NIC x86 open-source firewall (eg: m0n0wall or smoothwall), and call me back.

With most any of those solutions, hundreds or thousands of CIDR-based port-range blocks are trivial. Far more important (as you get into this stuff) are the adaptive firewall blocks; whether based on Spamhaus Zen DNSBL or otherwise. Static CIDR blocks aren't a practical solution with IPv4, much less with IPv6.

I do hope that the host-based firewall from the V8.4 roadmap is at least as capable as the ipchains firewall. That is, that the new firewall will have capabilities commensurate with the typical value of a target box running OpenVMS.
Trusted Contributor
Richard J Maher
Posts: 397
Registered: ‎12-26-2005
Message 10 of 13 (797 Views)

Re: TCPIP port security (IP blacklist)

Hi Steve,

> OpenVMS does not offer an IP firewall.

Really?

This is what I have/had from one of the guys that wrote it: -

> BTW, delivery of IPSEC also provides
> host-based firewall capability, which
> is another important feature that would
> also be delayed if IPSEC is further
> delayed.

Are you now seperating (for the customer delivery expectations) IPsec and VMS firewall capabilities?

> I do hope that the host-based firewall
> from the V8.4 roadmap is at least as
> capable as the ipchains firewall.

Which V8.4 roadmap are you talking about???

IPsec and VMS firewall functionality were (after several prominant years) erased from the 8.4 (after the 8.3 :-( ) roadmap at the mere stroke of the pen. What say you now?

Cheers Richard Maher

Honored Contributor
Hoff
Posts: 4,962
Registered: ‎01-29-2006
Message 11 of 13 (795 Views)

Re: TCPIP port security (IP blacklist)

Thanks for the update. I hadn't noticed that the firewall feature was dropped from the V8.4 roadmap. Ah, well.

I'd not been waiting for V8.4 here regardless, and am presently running external firewall boxes for the OpenVMS servers both for the direct control and for various other capabilities that a firewall can provide.
Frequent Advisor
cdan
Posts: 28
Registered: ‎07-30-2009
Message 12 of 13 (795 Views)

Re: TCPIP port security (IP blacklist)

Waiting for the update, if the need for blocking a specific port is really important, you can do it the "dirty way": implement in sylogin a procedure to lookup the BG device of the incoming connections, harvest the local or remote tcpip port from output of tcpip sho dev and logout the "hacker".
Or I can do it for you for 5 czech beers :)
Occasional Advisor
Warren_Kahle
Posts: 7
Registered: ‎04-09-2010
Message 13 of 13 (783 Views)

Re: TCPIP port security (IP blacklist)

System Detective, which I develop at PointSecure, has the capability, among many others, of deleting processes with a specific string in the port field of their terminal.  The source of a session connection is frequently listed in the port field.  Security events are recorded, notifications may be made, reports may be generated, etc.  You can see information about System Detective at www.PointSecure.com.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.