07-21-2009 05:29 AM
Is there a way to defined (somewhere in TCPIP configuration) some IP address, which will not have access to specific port on OpenVMS? So far I didn't find anything. Thanks in advance.
07-21-2009 06:37 AM
No available TCP/IP Services software release for OpenVMS provides that capability.
OpenVMS V8.4 might change that, according to the last roadmap I checked; there was a firewall planned for that release. (Though the UI and the capabilities of that software firewall have not AFAIK been disclosed yet.)
In general, I prefer to use an external firewall with OpenVMS when connecting to an untrusted network.
Depending on the network traffic load involved with this OpenVMS box, these firewall boxes can be quite inexpensive and very effective.
And even a low-end firewall can easily block the problem CIDR ranges.
(The next "wrinkle" here tends to be the lack of a syslogd on OpenVMS, but that can be addressed in various ways. OpenVMS can be integrated with a syslog-based network, but it requires adding syslog client or syslogd daemon software to OpenVMS.)
07-21-2009 06:48 AM
> No available TCP/IP Services software
> release for OpenVMS provides that
Hmmm. That's exactly how I would have
TCPIP SET SERVICE /REJECT = NETWORKS = [...]
For each network, you can optionally specify
the network mask. The default net mask equals
network's class number. For example, for
network 126.96.36.199., the default mask is
Dosn't that qualify as some kind of IP subnet
Maximum is 16.
can be rather limiting.
07-21-2009 07:34 AM
Work for a while with ipfw or ipchains or a comparable-recent host-based firewall, or work with an external commercial mid-grade server firewall or a dual-NIC x86 open-source firewall (eg: m0n0wall or smoothwall), and call me back.
With most any of those solutions, hundreds or thousands of CIDR-based port-range blocks are trivial. Far more important (as you get into this stuff) are the adaptive firewall blocks; whether based on Spamhaus Zen DNSBL or otherwise. Static CIDR blocks aren't a practical solution with IPv4, much less with IPv6.
I do hope that the host-based firewall from the V8.4 roadmap is at least as capable as the ipchains firewall. That is, that the new firewall will have capabilities commensurate with the typical value of a target box running OpenVMS.
07-22-2009 03:59 AM
> OpenVMS does not offer an IP firewall.
This is what I have/had from one of the guys that wrote it: -
> BTW, delivery of IPSEC also provides
> host-based firewall capability, which
> is another important feature that would
> also be delayed if IPSEC is further
Are you now seperating (for the customer delivery expectations) IPsec and VMS firewall capabilities?
> I do hope that the host-based firewall
> from the V8.4 roadmap is at least as
> capable as the ipchains firewall.
Which V8.4 roadmap are you talking about???
IPsec and VMS firewall functionality were (after several prominant years) erased from the 8.4 (after the 8.3 :-( ) roadmap at the mere stroke of the pen. What say you now?
Cheers Richard Maher
07-22-2009 04:26 AM
I'd not been waiting for V8.4 here regardless, and am presently running external firewall boxes for the OpenVMS servers both for the direct control and for various other capabilities that a firewall can provide.
07-30-2009 10:49 AM
Or I can do it for you for 5 czech beers :)
11-02-2011 08:03 AM
System Detective, which I develop at PointSecure, has the capability, among many others, of deleting processes with a specific string in the port field of their terminal. The source of a session connection is frequently listed in the port field. Security events are recorded, notifications may be made, reports may be generated, etc. You can see information about System Detective at www.PointSecure.com.