On Mon, 15 Jan 1996 01:36:34 -0500 John Clark said:
>>I have recently run into an issue with R1 accessing the 3k box via
>>TCP/IP. I found that one user who was using R1 was bypassing a
>>firewall. I can not personally duplicate the probblem. I was wondering
>>if R1 uses some sockets or has some backdoor to access the 3K. Does
>>anybody know how R1 (running under win 3.11) gets to the 3k?
>
>I'm not the one to give you expert advice on protocols but when you
>mention "firewall," it strikes me that any TCP/IP firewalls would
>restrict telnet or rlogin but not necessarily VT, the proprietary HP
>protocol generally used for R1 access to the 3000.
 
If you're filtering through, say, a cisco router, be sure to include both
of the VT ports.  For example, the following will fly on a cisco acting
as a firewall in front of a secure network (much omitted):
 
! Here's the nasty filter...
no access-list 150
! First let established connections continue (fast switching)
access-list 150 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 estab
! Restrict access to HP VT/VTArpa/SQL server
access-list 150 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 1537
access-list 150 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 1570
access-list 150 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 987
<etc., plus permits for services you want to allow>
!
! Apply to interface
!
interface e 0
ip access-group 150 out
exit
 
If you're really paranoid *and* have NS/3000 you might want to filter some
of the other ARPA services (rfa/nft/rpm/etc).  If you need port numbers,
run sockinfo.net.sys and look at your call sockets ('c' command).
 
(PS - RPM is included now <I think> since FTP server uses it so you don't
 need NS/3000 to have to worry about it too)
 
This isn't an authoritative list, just an example for VT and IASQL; for a
real firewall you need much more.
 
Jeff Kell <[log in to unmask]>