Jeremy Begg wrote:
> Hi,
>
> Process Software MultiNet V5.0 Rev A-X, COMPAQ AlphaServer DS20E 666 MHz,
> OpenVMS AXP V7.3-2
>
> This machine has two ethernet interfaces, one of which has been disused for
> a long time but is now being considered for connecting some wireless gear.
>
> One of the reasons for doing this is to use MultiNet to isolate the wireless
> bits of the network from the rest of the office LAN (thus hopefully minimising
> the "leakage" should the wireless network be hacked). The sole purpose of
> these wireless devices is to TELNET to the AlphaServer so putting a firewall
> appliance in place would seem to offer little benefit, given that the
> AlphaServer already has a spare ethernet port.
>
> This then raises a couple of questions.
>
> 1. In general, for services handled by the MASTER_SERVER process, can the
> services be configured to listen on one interface and not the other?
> Or can we only set ACCEPT-NETS and REJECT-NETS ? To put the same
> question another way, *will* these services automatically listen on both
> interfaces?


There is no way to configure most services handled by the
MASTER_SERVER process to listen on only once interface. You could do
this via ACCEPT-NETS and REJECT-NETS but I think packet filters on
the individual interfaces would be a better method.

>
> 2. Can the DNS server be configured to listen on one interface and not the
> other? Can it be configured to restrict the type of queries from one
> interface and not the other? E.g. from the "wireless" interface respond
> only to queries for a specific domain name?


There is a listen-on option to control what addresses and ports
are used. I don't know of a way to restrict the type of queries.
Running two different name servers would be the best way to handle this
but its not easy to do with the MultiNet implementation.

> 3. Will the NTP server listen and respond on both interfaces?
>


I have not used it but there is a restrict option in the
NTP.CONF.


> As an aside, is there any feel for how much CPU load the kernel-level packet
> filter imposes on a system? I'm thinking we might like to experiment with
> it if insufficient access control is provided via MU CONFIG/SERVER or other
> services which don't use MASTER_SERVER.
>


I'm not sure of the load. As I mentioned above I do think you
will find this the best solution.

regards
Mike


--
+-------------------------------------------------------------------------+
Michael Corbett Email: Corbett@process.com
Process Software Phone: 800 722-7770 x369
959 Concord St. 508 879-6994 x369
Framingham MA 01701-4682 FAX: 508 879-0042