Hi all,
Richard Sims wrote:
Remco -
Perhaps you could elaborate on how this would be useful? Having the
server ignore requests which come into the system via a certain path
doesn't seem productive.
It is, actually, from a security perspective. This way, one could
dedicate an instance to a subnet and be very sure it is impossible to
reach from other subnets.
One other use would be to have each instance listen on port 1500 of a
dedicated IP address (rather than a dedicated port on a shared IP
address), though I currently don't envision using TSM that way.
Anyway, what you envision seems better effected via a firewall
implemented at the environmental level (in the OS, or a router)
rather than in an application (TSM).
Host based firewalls could accomplish the same but:
1- add additional load to the host, unneeded since this could very
easily be programmed in the server
2- add additional cost in system administration
3- on AIX the is neither a built-in firewall, nor do any of the freeware
firewalls support AIX.
4- this is very easily implemented in the systemcalls required to set up
a TCP server anyway.
The network firewall is ineffective against hosts on the same subnet.
Not that I distrust these, but auditors might...
The reason I'd like to see this implemented in TSM is that the
application seems to be the proper place to configure the application. A
great many applications (webserver, ftp servers, dns servers etc.) all
provide this feature.
Richard Sims
On Apr 27, 2005, at 5:17 AM, Remco Post wrote:
Hi All,
We are running TSM v. 5.2.3 on AIX 5.2. Currently all of our TSM
server instances listen on all IP addresses configured in the OS. I
was wondering if anyone has found a way to make the TSM server not
listen for connections on one or more ip-addresses. I'm sure this
would be very usefull in my environment.
--
Met vriendelijke groeten,
Remco Post
SARA - Reken- en Netwerkdiensten http://www.sara.nl
High Performance Computing Tel. +31 20 592 3000 Fax. +31 20 668 3167
"I really didn't foresee the Internet. But then, neither did the
computer industry. Not that that tells us very much of course - the
computer industry didn't even foresee that the century was going to
end." -- Douglas Adams
|