Clovertech

Multi-Server Thread Security

Clovertech Forums Read Only Archives Cloverleaf Cloverleaf Multi-Server Thread Security

  • Creator
    Topic
  • November 13, 2013 at 7:07 pm #53914
    Keith McLeod
    Participant

      Does cloverleaf have a mechanism in place to prevent connections from ip addresses that have not been defined to connect to the multi-server protocol?

      I would prefer to block the connection, however I will look at modifying the ACK message logic to not allow messages or responses to ip addresses that are not included in what I will call my allowed hosts list.

      Any solutions are welcome here.

    • Creator
      Topic
    Viewing 2 reply threads
    • Author
      Replies
      • November 13, 2013 at 7:27 pm #79510
        Jim Kosloskey
        Participant

          Keith,

          Well I believe the IP address is contained in the metadata for Multi-server if you select ‘Use DRIVRCTL control’ I think.

          You could then check that against your list of hosts.

          However, the connection has already occured at that point and you have a message that someone has sent – perhaps in error – and they are waiting for an acknowledgment. But because they are not someone who you want to connect it is unlikely they wil understand any negative acknowledgement you send them to let them know you are ignoring them.

          Moreover other than stopping the connection (which throws everybody currently connected off) I don’t know of any way to just stop that connection.

          What you are wanting is a firewall I believe – I don’t think Cloverleaf is the place to do this.

          I am not aware of any other way within Cloverleaf to do what you want.

          Anyone else?

          email: jim.kosloskey@jim-kosloskey.com 30+ years Cloverleaf, 60 years IT – old fart.

        • November 13, 2013 at 10:04 pm #79511
          Max Drown (Infor)
          Keymaster

            I agree, the firewall is the place to do this.

            -- Max Drown (Infor)

          • November 14, 2013 at 6:04 pm #79512
            Rob Abbott
            Keymaster

              Quote:

              Moreover other than stopping the connection (which throws everybody currently connected off) I don’t know of any way to just stop that connection.

              While there is no method to block the incoming connection, you can force the connection to close by sending (use disposition PROTO) a message to the driver with the following populated in DRIVERCTL (NNN=connid from the inbound message):

              Code:

              {CONNID NNN} {TCP/IP {{CLOSE 1}}} {CLOSE 1}

              So if you see an IP that you don’t like, send this and it’ll drop the connection.

              Having said this agree with Jim and Max – the firewall is the best place to do this.

              Rob Abbott
              Cloverleaf Emeritus

          • Author
            Replies
          Viewing 2 reply threads
          • The forum ‘Cloverleaf’ is closed to new topics and replies.