On Mon, 15 Jan 1996 01:36:34 -0500 John Clark said: >>I have recently run into an issue with R1 accessing the 3k box via >>TCP/IP. I found that one user who was using R1 was bypassing a >>firewall. I can not personally duplicate the probblem. I was wondering >>if R1 uses some sockets or has some backdoor to access the 3K. Does >>anybody know how R1 (running under win 3.11) gets to the 3k? > >I'm not the one to give you expert advice on protocols but when you >mention "firewall," it strikes me that any TCP/IP firewalls would >restrict telnet or rlogin but not necessarily VT, the proprietary HP >protocol generally used for R1 access to the 3000. If you're filtering through, say, a cisco router, be sure to include both of the VT ports. For example, the following will fly on a cisco acting as a firewall in front of a secure network (much omitted): ! Here's the nasty filter... no access-list 150 ! First let established connections continue (fast switching) access-list 150 permit tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 estab ! Restrict access to HP VT/VTArpa/SQL server access-list 150 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 1537 access-list 150 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 1570 access-list 150 deny tcp 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255 eq 987 <etc., plus permits for services you want to allow> ! ! Apply to interface ! interface e 0 ip access-group 150 out exit If you're really paranoid *and* have NS/3000 you might want to filter some of the other ARPA services (rfa/nft/rpm/etc). If you need port numbers, run sockinfo.net.sys and look at your call sockets ('c' command). (PS - RPM is included now <I think> since FTP server uses it so you don't need NS/3000 to have to worry about it too) This isn't an authoritative list, just an example for VT and IASQL; for a real firewall you need much more. Jeff Kell <[log in to unmask]>