|
Yes, I agree that packet filtering will stop outbound traffic, but I ruled it out because it is not user specific and could very easily lock all users out of the system. Packet filter rules are usually used to prevent incoming traffic, and it would be relatively unusual to configure it to prevent outgoing traffic without also preventing incoming traffic. Extreme care will need to be taken. Are Telnet and FTP allowed into the system from the internet (dangerous) and would the packet filter be configured to prevent incoming traffic as well???? Do you have the luxury of a test box to play with - with twinax terminals?? I like Vern's idea of setting up authority for the Telnet/ftp commands. That way only authorised users will have telnet/ftp access. If you do change the command authorities, create a CL program to perform these changes. That way, you can easily reapply these authorities after updating the operating system in the future. Syd Tom Liotta wrote:
It should be noted that a builtin form of packet filtering can indeed prevent outbound green-screen telnet (or ftp or...) to specific ports, IP addresses, sub-nets, etc., though I haven't seen a way to control by user (nor have I looked). In OpsNav under the iSeries connection in question, expand Network/IP Policies, then select the <Configuration> pop-up menu item for Packet Rules. Begin with <File/New File> and immediately create a default filter set that allows everything -- this will become a catch-all filter set that will be added as the final filter set in all rules you create until you learn enough to avoid locking yourself out when you activate rules. Handy tip: _ALWAYS_ have a non-TCP/IP session available when testing, e.g., a twinax console or SNA passthru. If this is not reasonable, then do something ahead of time such as submit a scheduled job to run the RMVTCPTBL TBL(*IPFTR) command a few minutes in the future to undo whatever you did because it's trivially easy to lock OpsNav out along with almost everything and everyone else. The default behavior is to _deny_ everything that you didn't explicitly allow and that facility works _very_ well. There are reasons not to use Packet Rules, but the rules definitely work. Take care in implementing and be aware of potential TCP/IP performance issues, etc. Anybody know of a good write-up on this? Experimentation is not the best way to learn it, especially on a production system. Tom Liotta midrange-l-request@midrange.com wrote:7. Re: query on ip configuration (Dr Syd Nicholson) Further to my previous comment: Packet filtering should be able to block specific traffic from the internal network, but it won't prevent a user on a green screen session using telnet/ftp to another machine. Syd Nicholson KSI wrote:-- [ Picked text/plain from multipart/alternative ] Hi All, I'm facing a typical situation. I have a iseries server with a single eth=ernet card, configured for 3 network addresses. one internal & two extenal= ip's( all with seperate route, subnet mask). The surprising thing is the = user who's configured to the local network (does not have any access to the= external ip's) connects to the iseries server. And....from here he can do = a telnet/ftp to any server that is attached to the external network(interne= t). Can anyone comment how is it possible for the local user connected to = the iseries to gets access to the internet??How to restrict the local user from accessing the external network (intern=et) when connected to the iseries having a external ip configured??-- -- Tom Liotta The PowerTech Group, Inc. 19426 68th Avenue South Kent, WA 98032 Phone 253-872-7788 x313 Fax 253-872-7904 http://www.powertechgroup.com __________________________________________________________________ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ _______________________________________________ This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@midrange.com To subscribe, unsubscribe, or change list options, visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l or email: MIDRANGE-L-request@midrange.com Before posting, please take a moment to review the archives at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.