1.  Home
  2. MIDRANGE-L
  3. November 2002

Re: query on ip configuration

It should be noted that a builtin form of packet filtering can indeed prevent 
outbound green-screen telnet (or ftp or...) to specific ports, IP addresses, 
sub-nets, etc., though I haven't seen a way to control by user (nor have I 
looked).

In OpsNav under the iSeries connection in question, expand Network/IP Policies, 
then select the <Configuration> pop-up menu item for Packet Rules. Begin with 
<File/New File> and immediately create a default filter set that allows 
everything -- this will become a catch-all filter set that will be added as the 
final filter set in all rules you create until you learn enough to avoid 
locking yourself out when you activate rules.

Handy tip: _ALWAYS_ have a non-TCP/IP session available when testing, e.g., a 
twinax console or SNA passthru. If this is not reasonable, then do something 
ahead of time such as submit a scheduled job to run the RMVTCPTBL TBL(*IPFTR) 
command a few minutes in the future to undo whatever you did because it's 
trivially easy to lock OpsNav out along with almost everything and everyone 
else. The default behavior is to _deny_ everything that you didn't explicitly 
allow and that facility works _very_ well.

There are reasons not to use Packet Rules, but the rules definitely work. Take 
care in implementing and be aware of potential TCP/IP performance issues, etc.

Anybody know of a good write-up on this? Experimentation is not the best way to 
learn it, especially on a production system.

Tom Liotta



midrange-l-request@midrange.com wrote:

>   7. Re: query on ip configuration (Dr Syd Nicholson)
>
>Further to my previous comment:
>
>Packet filtering should be able to block specific traffic from the
>internal network, but it won't prevent a user on a green screen session
>using telnet/ftp to another machine.
>
>Syd Nicholson
>
>
>KSI wrote:
>
>>--
>>[ Picked text/plain from multipart/alternative ]
>>
>>Hi All,
>>
>>I'm facing a typical situation.  I have a iseries server with a single eth=
>ernet card, configured for 3 network addresses.  one internal & two extenal=
> ip's( all with seperate route, subnet mask).  The surprising thing is the =
>user who's configured to the local network (does not have any access to the=
> external ip's) connects to the iseries server. And....from here he can do =
>a telnet/ftp to any server that is attached to the external network(interne=
>t).  Can anyone comment how is it possible for the local user connected to =
>the iseries to gets access to the internet??
>>
>>How to restrict the local user from accessing the external network (intern=
>et) when connected to the iseries having a external ip configured??

--
--
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertechgroup.com


__________________________________________________________________
The NEW Netscape 7.0 browser is now available. Upgrade now! 
http://channels.netscape.com/ns/browsers/download.jsp

Get your own FREE, personal Netscape Mail account today at 
http://webmail.netscape.com/

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.