Configuration entries on host max:
--------------------------------------------------------------------------------
/usr/isi/config/ipif
--------------------
NET is0 TYPE isdn ADDR 200.0.0.1 ACCESS out
/usr/isi/config/ip
------------------
INET 200.0.0.2 ISDN moritz,tcp/ip ACCOUNTING ACCESS in
/usr/isi/config/ipacc
---------------------
NAME out
ALLOW telnet
NAME in
ALLOW CLIENTS
With this configuration only a telnet from max to moritz will
work.
Everything else is restricted (if correct portnumbers are used
-> see below).
If you want allow a rlogin from moritz to max you have to specify
the
following (rlogin use the port 513/tcp <-> login):
--------------------------------------------------
/usr/isi/config/ipacc
---------------------
NAME out
ALLOW CLIENTS
NAME in
ALLOW login
To get the right information:
-----------------------------
1. Do not use any ACCESS control.
2. Enable ACCOUNTING (with the keyword ACCOUNTING in the
IP-file).
3. Watch your /usr/isi/acct/ip2 file for used portnumbers. Check
out which one
you want to use (-> /etc/services ).
4. Make the entries in your /usr/isi/acct/ipacc file. (don't
forget to do
"isipctl sync" after editing the /usr/isi/acct/ipacc
file;
this is important, because the access lists are controlled by the
isipd ...)
/usr/isi/acct/ip2 file entry on host max:
-----------------------------------------
2. ... 6 200.0.0.1:23 200.0.0.2:1052 200.0.0.2 ...
In this example, max is the client and the remote host (moritz)
is the server.
Outgoing IPIF-file,
\ /
IP-frames can be restricted by an access list in the
/ \
Incoming IP-file,
You can control (restrict/allow) only the destination ports of an
IP-frame.
In the /usr/isi/acct/ip2 file, you cannot see, if you have got
tcp or udp
protocol, but you will get the right information, when you take a
look at your
/etc/services file:
/etc/services
--------------------------------------------------------------------------------
...
login 513/tcp
who 513/udp whod
...
telnet 23/tcp
REMARK: There are TCP/IP implementations, which use wrong CLIENT
port numbers,
e.g. 1019 (this is not allowed according to the RFC's, but they
do it
anyway, - e.g. seen within some Solaris 2.3 implementations).
In this case the keyword CLIENT will not be enough to allow
IP-frames
with this destination port. You can make an extra entry for this
port:
ALLOW 1019/tcp and/or ALLOW 1019/udp.
REMARK: The Access list is searched sequentially for an entry,
the first entry,
found in the list is taken to allow or deny the Ip-frame to pass
the
interface. At the end of each access list there is an implicit
DENY ALL.
CLIENT ports:
-------------
Release | portnumber range |
< 4.3x | [1024;5999] |
>= 4.3x | [1024;4999] & >= 32768 (used by Solaris) |
SERVER ports:
-------------
Release | portnumber range |
< 4.3x | [0;1023] |
>= 4.3x | [0;1023] & [5000;32767] |