Restricting the ports used to the server would be good standard practice, in
fact I would recommend all such activity to any server be restricted. If I
allow ftp to my 400, and not to any other server in my network, then the
firewall has to restrict those ports & services to secure the rest of the
network.
jim franz
----- Original Message -----
From: <thomas@inorbit.com>
To: <midrange-l@midrange.com>
Sent: Thursday, January 03, 2002 9:53 PM
Subject: Re: CA Express Map Network Drive over Internet


Has anybody out there investigated the implications of these IBM documents?
I'd be nervous about these settings without a few additional precautions,
and even then I'd wonder.

1) With those ports open, I'd want the traffic restricted to the iSeries IP
address, not allowing traffic to/from any other servers in my network.
(Seems odd restricting to the iSeries rather than the other way around.)
2) You'd want a Netserver 'guest' profile and definite restrictions on what
was shared.
3) I figure access to Netserver would have to be either by IP address or an
entry in the remote LMHOSTS file, rather than by Netserver system name.

Are those paranoid? Or are they not yet restrictive enough? It's right at
the fringe of my knowledge.

Tom Liotta


On Thu, 03 January 2002, "Jim Franz" wrote:

> Neil - is the wan connection over the same iSeries ethernet card as the
lan?
> There is an old warning about the "tcp-only" option in an ethernet line
> description  needing MF22323 ptf before setting this parm.
> If you haven't already checked all this, your wan router needs certain
ports
> specific to netserver. Info apar II12227 has a list of all the ports.
>
>
http://www-912.ibm.com/n_dir/nas4apar.NSF/c79815e083182fec862564c00079d117/f
> cc664db54c4c549862568720047b5fd?OpenDocument&Highlight=2,ii12227
>
> if a firewall is involved, also check
> http://www-1.ibm.com/servers/eserver/iseries/clientaccess/cafirewl.htm (a
> little old but could
> be relevant)
>
> if vpn involved check info apar II11791
>
http://www-912.ibm.com/n_dir/NAS4APAR.NSF/51d11a683a56a5cc862564c000763b23/a
> 7a17214ad50cc9d862567550029d287?OpenDocument
>
> hth
> jim franz






As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.