Page 1 of 1
NETACCESS to protect my "ip address"
Posted:
Sat Jul 21, 2012 5:18 pmby mehi1353
Hi all,
I want to protect my pc "ip address" and my network range of addresses. so I defined this lines in tcpip.profile :
NETACCESS INBOUND OUTBOUND
172.20.149.8/32 MYPC ;my workstation
172.20.149.0/24 MYSUBNET ;my workstation subnet
DEFAULT 0 WORLD ;everything else
ENDNETACCESS
also this profiles in servauth class in racf:
EZB.NETACCESS.OSMELLAT.TCPIP.MYPC
EZB.NETACCESS.OSMELLAT.TCPIP.MYSUBNET
EZB.NETACCESS.OSMELLAT.TCPIP.WORLD
after activing new tcpip.profile and racf profiles, I cannot ping from mainframe to pc:
ICH408I USER(RASTGAR ) GROUP(SYS1 ) NAME(MEHRDAD RASTGAR )
EZB.NETACCESS.OSMELLAT.TCPIP.MYPC CL(SERVAUTH)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
but from pc, I still can ping to my mainframe Ip address !!!
I think after defining the above profiles, ping from both ways should be banned.
any idea?
best regards
mehrdad
Re: NETACCESS to protect my "ip address"
Posted:
Mon Jul 23, 2012 11:57 amby jaggz
Hi,
Do you want to disable the Ping command from PC ? or Just a user should get a message as you are not authorized to Ping or something ?
Could you please clarify ? Did you try with the other two Profiles and what does it says ?
Jaggz
Re: NETACCESS to protect my "ip address"
Posted:
Tue Jul 24, 2012 11:06 amby mehi1353
Hi,
No I do not want to disable ping.ping was just a test for me. I want to disable telnet from all stations,except my personal PC and my personal userid. so I defined NETACCESS zones in tcpip profile and defined NETACCESS profiles in racf. then I permited READ access to my userid in profile EZB.NETACCESS.OSMELLAT.TCPIP.MYPC.
I expect that telnet was banned from all stations and userids, except mypc and my userid.
but servauth profiles doesn't work on my system.
I did all this process based on IBM documents.
is there anything wrong?
Best regards
Re: NETACCESS to protect my "ip address"
Posted:
Tue Jul 24, 2012 12:31 pmby jaggz
Hi,
"but servauth profiles doesn't work on my system. "
Please check if SERVAUTH class is activated or not ? If not try to activate it by CLASSACT(SERVAUTH).
Re: NETACCESS to protect my "ip address"
Posted:
Tue Jul 24, 2012 4:00 pmby mehi1353
HI
no.I's sure that servauth class is active. because in pinging from mainframe to my network zone (mypc) , servauth profile banned me:
ICH408I USER(RASTGAR ) GROUP(SYS1 ) NAME(MEHRDAD RASTGAR )
EZB.NETACCESS.OSMELLAT.TCPIP.MYPC CL(SERVAUTH)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )
but it connot prevent telnet from MYPC to mainframe. why?
best regards
Re: NETACCESS to protect my "ip address"
Posted:
Tue Jul 24, 2012 5:39 pmby Robert Sample
Have you looked at EZARACF in SEZAINST? That mentions resource EZB.PORTACCESS.sysname.tcpprocname.port
Re: NETACCESS to protect my "ip address"
Posted:
Wed Jul 25, 2012 8:24 amby jaggz
Hi,
Hope you Did SETR RACLIST(SERVAUTH) REFR after permitting ?
Re: NETACCESS to protect my "ip address"
Posted:
Wed Jul 25, 2012 10:03 amby mehi1353
Hi,
Yes I use "refresh" command after defining and permiting.
"Portaccess" doesn't satisfy me. because I want to find a way for limitting a userid to his/her tcpip terminal. Netaccess is my best choise. But unfortunately netaccess doesn't work for telnet access from different netaccess zones.after activing netaccess profiles, still anyone can logon from anywhere.
all the best
Re: NETACCESS to protect my "ip address"
Posted:
Wed Jul 25, 2012 7:34 pmby dick scherrer
Hello,
still anyone can logon from anywhere.
Which is how it is intended to work . . .
Why does someone believe this is a problem?
In most organizations, ip addresses and/or terminal ids are acquired dynamically making this restriction obsolete (if it ever was needed).
Keep in mind that your environment may be upgraded someday so that there are no "permanent" ip addresses for terminals . . .