Board index Solaris

limiting service access by hme#

limiting service access by hme#

Post by Phil » Thu, 16 Aug 2001 05:59:27



All -

I have a Sun e450/Solaris 7 with hme0 and hme1. hme0 goes to a
non-secure network. hme1 goes to a private, secure network that only
has one other device on it.

hme1 *must* have ftp, rlogin and nfs ports open. I definitely do NOT
want those (and other ports) open on the hme0 interface. How can I
accomplish this? Is there a way of having /etc/services and
/etc/inted.conf PER hme#? Some other mechanism? (TCPWrappers is not an
option at this point, but I hope to use it in the future ...).

Please post or email and I will summarize to the group(s).

philc
phil-atnospam-macostech.com

 
 
 
Top

limiting service access by hme#

Post by Akop Pogosia » Thu, 16 Aug 2001 07:27:58



Quote:> All -
> I have a Sun e450/Solaris 7 with hme0 and hme1. hme0 goes to a
> non-secure network. hme1 goes to a private, secure network that only
> has one other device on it.
> hme1 *must* have ftp, rlogin and nfs ports open. I definitely do NOT
> want those (and other ports) open on the hme0 interface. How can I
> accomplish this? Is there a way of having /etc/services and
> /etc/inted.conf PER hme#? Some other mechanism? (TCPWrappers is not an
> option at this point, but I hope to use it in the future ...).
> Please post or email and I will summarize to the group(s).
> philc
> phil-atnospam-macostech.com

The best way to do this is to use a packet filter such as IP Filter:
http://coombs.anu.edu.au/~avalon/ip-filter.html

or SunScreen.

-akop

 
 
 
Top

limiting service access by hme#

Post by Greg Andre » Thu, 16 Aug 2001 07:29:48



>All -

>I have a Sun e450/Solaris 7 with hme0 and hme1. hme0 goes to a
>non-secure network. hme1 goes to a private, secure network that only
>has one other device on it.

>hme1 *must* have ftp, rlogin and nfs ports open. I definitely do NOT
>want those (and other ports) open on the hme0 interface. How can I
>accomplish this?

A packet filtering router on the hme0 interface is often the
simplest approach.

  -Greg
--

I have a map of the United States that's actual size
                 -- Steven Wright

 
 
 
Top

limiting service access by hme#

Post by Dave Mine » Fri, 17 Aug 2001 00:23:10



> All -

> I have a Sun e450/Solaris 7 with hme0 and hme1. hme0 goes to a
> non-secure network. hme1 goes to a private, secure network that only
> has one other device on it.

> hme1 *must* have ftp, rlogin and nfs ports open. I definitely do NOT
> want those (and other ports) open on the hme0 interface. How can I
> accomplish this? Is there a way of having /etc/services and
> /etc/inted.conf PER hme#? Some other mechanism? (TCPWrappers is not an
> option at this point, but I hope to use it in the future ...).

If you were running Solaris 8, I'd tell you to use the built-in IPsec
filtering.  But since you're not, I'd concur with others who suggested
either IPfilter or an external filtering router.

Dave

 
 
 
Top

limiting service access by hme#

Post by Thomas H Jones I » Fri, 17 Aug 2001 01:36:03




Quote:>All -

>I have a Sun e450/Solaris 7 with hme0 and hme1. hme0 goes to a
>non-secure network. hme1 goes to a private, secure network that only
>has one other device on it.

>hme1 *must* have ftp, rlogin and nfs ports open. I definitely do NOT
>want those (and other ports) open on the hme0 interface. How can I
>accomplish this? Is there a way of having /etc/services and
>/etc/inted.conf PER hme#? Some other mechanism? (TCPWrappers is not an
>option at this point, but I hope to use it in the future ...).

for ftp and rlogin, xinetd would allow you to configure services per
interface.

for nfs, youd need a kernel level packet filter like ipfilterd.

-tom
--

"You can only be -so- accurate with a claw-hammer."  --me

 
 
 
Top

1. Limiting Access to Service Accounts with SU

I have a scenario in which I cant seem to think of a solution.
I have an E420 running Solaris8 that has several 'service accounts'.
By service accounts i mean accounts that serve as db users,
application administrators etc. These service accounts are used by
multiple people, and what I want to be able to do is track them so i
can at least know when the account users log in and use those
accounts.

Take the following scenario:
Service account: ingres
User Accounts usera and userb

I want to be able to set a passwd for the ingres account, but disable
his login from a tty or the console except by su.

ie. if a person remotely connects to the box i do not want them to be
able to log into the ingres account, but i do want the to be able to
log in with their user account and the 'su' to ingres. I only want the
usera and userb accounts to be able to su to ingres though, not your
standard everyday joe blow user.

Does such a mechanism exist under Solaris 8? I know that my
counterparts in the AIX world can do such a thing, but is it possible
for this scenario to exist in Solaris, and if so how?

Many Thanks,

Darren

2. dvi to laserjet

3. Samba: How to limit access to 1 PC or limited timeframe?

4. Verify that RAID1 is really working?

5. How to access Link status bit of hme device

6. Problem with XDM Remote login

7. Ultra sees HME SBus card, but Solaris 2.5 cannot access

8. Cyrix 586 Supported?

9. Accessing HME parameters from C code

10. Can't get NCSA access.conf to limit access correctly

11. "Demo service for server 1001471725 limited due to high load"

12. limited internal services

13. Limit services to one network interface


All times are UTC
Board index