VMS cluster behind a *NIX firewall - VMS

This is a discussion on VMS cluster behind a *NIX firewall - VMS ; I need to have a *NIX frontend for a VMS cluster. In addition I'd like to set up cluster alias. I'm not sure how cluster alias will work together with port forwarding. The cluster has 3 nodes, two ds10l and ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 34

Thread: VMS cluster behind a *NIX firewall

  1. VMS cluster behind a *NIX firewall

    I need to have a *NIX frontend for a VMS cluster. In addition
    I'd like to set up cluster alias. I'm not sure how cluster alias will
    work together with port forwarding.

    The cluster has 3 nodes, two ds10l and one rx2620, all running
    VMS 8.3 with TCP/IP configured and started. Each node has 2 IP addresses,
    all in 192.168.0.0/24. I haven't yet set up a cluster alias.

    The frontend is FBSD 6.2 with IPF. The port forwarding rules, I
    can think of, wll only allow me to forward to a particular IP address
    in a particular node, e.g.:

    rdr xxx.xxx.xxx.xxx port 22 -> 192.168.0.xxx port 22

    So this node then becomes a single point of failure. As far as I
    can see, I cannot have a host name in the above rule. Ideally, I'd like
    to have some sort of load balancing, i.e. let the users log into
    different nodes chosen automatically based on the current load, which is,
    I think, is the idea behind a cluster alias.

    Any advice on how to get a more useful port forwarding?

    thanks a lot
    anton

    --
    Anton Shterenlikht
    Room 2.6, Queen's Building
    Mech Eng Dept
    Bristol University
    University Walk, Bristol BS8 1TR, UK
    Tel: +44 (0)117 928 8233
    Fax: +44 (0)117 929 4423

  2. Re: VMS cluster behind a *NIX firewall

    Anton,

    to remove the single point of failure, you should set up a FailSAFE IP
    address on those 3 nodes. This address will be offered on ONE
    interface at a time on ONE of the 3 nodes. The FailSAFE IP service
    handles the automatic detection of a failed interface or node and
    brings up that IP address on a working interface on one of the
    remaining nodes.

    Volker.


  3. Re: VMS cluster behind a *NIX firewall


    "Volker Halle" wrote in message
    news:1185872185.198001.14210@w3g2000hsg.googlegrou ps.com...

    > to remove the single point of failure, you should set up a FailSAFE IP
    > address on those 3 nodes. This address will be offered on ONE
    > interface at a time on ONE of the 3 nodes.


    I might go for 3 alias addresses, with the default interface on different
    nodes. Then when you figure out how to load balance on the firewall,
    you are all set.



  4. Re: VMS cluster behind a *NIX firewall

    In article <1185872185.198001.14210@w3g2000hsg.googlegroups.co m>, Volker Halle writes:
    >to remove the single point of failure, you should set up a FailSAFE IP
    >address on those 3 nodes. This address will be offered on ONE
    >interface at a time on ONE of the 3 nodes. The FailSAFE IP service
    >handles the automatic detection of a failed interface or node and
    >brings up that IP address on a working interface on one of the
    >remaining nodes.


    And this interface the IP address sits on should be a LAN failover device
    (LLxy) as well (if you have more than one interface per machine of course)...

    --
    Peter "EPLAN" LANGSTOEGER
    Network and OpenVMS system specialist
    E-mail peter@langstoeger.at
    A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist

  5. Re: VMS cluster behind a *NIX firewall

    On Tue, 31 Jul 2007 01:32:10 -0700, Anton Shterenlikht
    wrote:

    > I need to have a *NIX frontend for a VMS cluster. In addition
    > I'd like to set up cluster alias. I'm not sure how cluster alias will
    > work together with port forwarding.

    Why do you need this front-end?
    >
    > The cluster has 3 nodes, two ds10l and one rx2620, all running
    > VMS 8.3 with TCP/IP configured and started. Each node has 2 IP addresses,
    > all in 192.168.0.0/24. I haven't yet set up a cluster alias.
    >
    > The frontend is FBSD 6.2 with IPF. The port forwarding rules, I
    > can think of, wll only allow me to forward to a particular IP address
    > in a particular node, e.g.:
    >
    > rdr xxx.xxx.xxx.xxx port 22 -> 192.168.0.xxx port 22
    >
    > So this node then becomes a single point of failure. As far as I
    > can see, I cannot have a host name in the above rule. Ideally, I'd like
    > to have some sort of load balancing, i.e. let the users log into
    > different nodes chosen automatically based on the current load, which is,
    > I think, is the idea behind a cluster alias.
    >
    > Any advice on how to get a more useful port forwarding?
    >
    > thanks a lot
    > anton
    >




    --
    PL/I for OpenVMS
    www.kednos.com

  6. Re: VMS cluster behind a *NIX firewall

    Anton Shterenlikht wrote in
    news:20070731083210.GA79688@mech-aslap33.men.bris.ac.uk:

    [snip..]

    >
    > The frontend is FBSD 6.2 with IPF. The port forwarding rules, I
    > can think of, wll only allow me to forward to a particular IP address
    > in a particular node, e.g.:
    >
    > rdr xxx.xxx.xxx.xxx port 22 -> 192.168.0.xxx port 22
    >
    > So this node then becomes a single point of failure. As far as I
    > can see, I cannot have a host name in the above rule. Ideally, I'd like
    > to have some sort of load balancing, i.e. let the users log into
    > different nodes chosen automatically based on the current load, which is,
    > I think, is the idea behind a cluster alias.
    >


    It sounds like the *nix firewall becomes the single point of failure.

  7. Re: VMS cluster behind a *NIX firewall

    In article <20070731083210.GA79688@mech-aslap33.men.bris.ac.uk>, Anton Shterenlikht writes:
    > I need to have a *NIX frontend for a VMS cluster. In addition
    > I'd like to set up cluster alias. I'm not sure how cluster alias will
    > work together with port forwarding.


    You NEED to? Putting a UNIX firewall in front of a VMS system is
    like using straw to protect brick.

    Who put you up to this idea?

    Yes, there are valid reasons to put VMS behind a firewall (keep all
    those attacks from tieing up the LAN your SCS traffic is on, for example).
    But I'd look for a purpose-built firewall.


  8. Re: VMS cluster behind a *NIX firewall

    On Aug 2, 5:57 pm, koeh...@eisner.nospam.encompasserve.org (Bob
    Koehler) wrote:
    > In article <20070731083210.GA79...@mech-aslap33.men.bris.ac.uk>, Anton Shterenlikht writes:
    >
    > > I need to have a *NIX frontend for a VMS cluster. In addition
    > > I'd like to set up cluster alias. I'm not sure how cluster alias will
    > > work together with port forwarding.

    >
    > You NEED to? Putting a UNIX firewall in front of a VMS system is
    > like using straw to protect brick.
    >


    :-)

    I liked Kerry's "rent-a-cop to protect a police station" better, but I
    might steal them both;-))


    > Who put you up to this idea?
    >
    > Yes, there are valid reasons to put VMS behind a firewall (keep all
    > those attacks from tieing up the LAN your SCS traffic is on, for example).
    > But I'd look for a purpose-built firewall.


    Many of which run *nix, but are single-purpose appliances and who
    cares what they run as long as they do the job.

    But, I do agree with you.


  9. Re: VMS cluster behind a *NIX firewall

    In article <1186097570.039629.170140@m37g2000prh.googlegroups. com>, Doug Phillips writes:
    >
    > Many of which run *nix, but are single-purpose appliances and who
    > cares what they run as long as they do the job.


    Yes, but you can get those which aren't. (I know an entire
    infrastructure protected by firewalls running on Solaris, I sure
    hope they keep up the OS patch level.)


  10. RE: VMS cluster behind a *NIX firewall



    > -----Original Message-----
    > From: Bob Koehler [mailto:koehler@eisner.nospam.encompasserve.org]
    > Sent: Thursday, August 02, 2007 5:57 PM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: Re: VMS cluster behind a *NIX firewall
    >
    > In article <20070731083210.GA79688@mech-aslap33.men.bris.ac.uk>, Anton
    > Shterenlikht writes:
    > > I need to have a *NIX frontend for a VMS cluster. In addition
    > > I'd like to set up cluster alias. I'm not sure how cluster alias will
    > > work together with port forwarding.

    >
    > You NEED to? Putting a UNIX firewall in front of a VMS system is
    > like using straw to protect brick.


    Actually, given what I have seen of TCP under VMS, I would probably choose
    to use a UNIX system in front of it too. I just would not choose an x86
    based system.

    TCP is the common denominator of network communications these days, and
    systems need really up to date IP stacks and applications. This is perhaps,
    one of only two areas where VMS appears weak to me.

    -Paul

    >
    > Who put you up to this idea?
    >
    > Yes, there are valid reasons to put VMS behind a firewall (keep all
    > those attacks from tieing up the LAN your SCS traffic is on, for
    > example).
    > But I'd look for a purpose-built firewall.




  11. Re: VMS cluster behind a *NIX firewall

    On 08/02/07 20:40, Paul Raulerson wrote:
    >
    >> -----Original Message-----
    >> From: Bob Koehler [mailto:koehler@eisner.nospam.encompasserve.org]
    >> Sent: Thursday, August 02, 2007 5:57 PM
    >> To: Info-VAX@Mvb.Saic.Com
    >> Subject: Re: VMS cluster behind a *NIX firewall
    >>
    >> In article <20070731083210.GA79688@mech-aslap33.men.bris.ac.uk>, Anton
    >> Shterenlikht writes:
    >>> I need to have a *NIX frontend for a VMS cluster. In addition
    >>> I'd like to set up cluster alias. I'm not sure how cluster alias will
    >>> work together with port forwarding.

    >> You NEED to? Putting a UNIX firewall in front of a VMS system is
    >> like using straw to protect brick.

    >
    > Actually, given what I have seen of TCP under VMS, I would probably choose
    > to use a UNIX system in front of it too. I just would not choose an x86
    > based system.


    Why not? FreeBSD on x86 is Unix, and Unix is Unix, no matter the
    platform.

    > TCP is the common denominator of network communications these days, and
    > systems need really up to date IP stacks and applications. This is perhaps,
    > one of only two areas where VMS appears weak to me.


    [P.S. - Yay!!!!! Info-VAX is properly threading!!!]

    --
    Ron Johnson, Jr.
    Jefferson LA USA

    Give a man a fish, and he eats for a day.
    Hit him with a fish, and he goes away for good!

  12. RE: VMS cluster behind a *NIX firewall



    > -----Original Message-----
    > From: Ron Johnson [mailto:ron.l.johnson@cox.net]
    > Sent: Thursday, August 02, 2007 9:11 PM
    > To: Info-VAX@Mvb.Saic.Com
    > Subject: Re: VMS cluster behind a *NIX firewall
    >
    > On 08/02/07 20:40, Paul Raulerson wrote:
    > >
    > >> -----Original Message-----
    > >> From: Bob Koehler [mailto:koehler@eisner.nospam.encompasserve.org]
    > >> Sent: Thursday, August 02, 2007 5:57 PM
    > >> To: Info-VAX@Mvb.Saic.Com
    > >> Subject: Re: VMS cluster behind a *NIX firewall
    > >>
    > >> In article <20070731083210.GA79688@mech-aslap33.men.bris.ac.uk>,

    > Anton
    > >> Shterenlikht writes:
    > >>> I need to have a *NIX frontend for a VMS cluster. In addition
    > >>> I'd like to set up cluster alias. I'm not sure how cluster alias

    > will
    > >>> work together with port forwarding.
    > >> You NEED to? Putting a UNIX firewall in front of a VMS system is
    > >> like using straw to protect brick.

    > >
    > > Actually, given what I have seen of TCP under VMS, I would probably

    > choose
    > > to use a UNIX system in front of it too. I just would not choose an

    > x86
    > > based system.

    >
    > Why not? FreeBSD on x86 is Unix, and Unix is Unix, no matter the
    > platform.
    >


    Using a non-x86 system defeats an enormous number of script kiddies and
    such. Not all that many bad-hackers have access to Power or Alpha or other
    UNIX systems, they are tied to their Windows PCs. Also, it often makes
    it easier to detect issues like that. An x86 executable sticks out like a
    sore thumb!



    > > TCP is the common denominator of network communications these days,

    > and
    > > systems need really up to date IP stacks and applications. This is

    > perhaps,
    > > one of only two areas where VMS appears weak to me.

    >
    > [P.S. - Yay!!!!! Info-VAX is properly threading!!!]
    >


    Glory! Still looks the same to me.
    -Paul

    > --
    > Ron Johnson, Jr.
    > Jefferson LA USA
    >
    > Give a man a fish, and he eats for a day.
    > Hit him with a fish, and he goes away for good!



  13. Re: VMS cluster behind a *NIX firewall

    In article ,
    Ron Johnson wrote:

    > [P.S. - Yay!!!!! Info-VAX is properly threading!!!]


    Ooh yes it is! Thank you to Mark.

    One observation though. If you receive INFO-VAX by the digest method,
    rather than individual messages, and reply to that, then threads will
    still break.

    I can't see any way around this except for changing your INFO-VAX
    subscription to receive individual messages, and replying to those.

    --
    Paul Sture

    Sue's OpenVMS bookmarks:
    http://eisner.encompasserve.org/~stu...bookmarks.html

  14. Re: VMS cluster behind a *NIX firewall

    In article ,
    koehler@eisner.nospam.encompasserve.org (Bob Koehler) wrote:

    > In article <1186097570.039629.170140@m37g2000prh.googlegroups. com>, Doug
    > Phillips writes:
    > >
    > > Many of which run *nix, but are single-purpose appliances and who
    > > cares what they run as long as they do the job.

    >
    > Yes, but you can get those which aren't. (I know an entire
    > infrastructure protected by firewalls running on Solaris, I sure
    > hope they keep up the OS patch level.)


    Going back a few years, SuSE did a CD which was a firewall. The general
    idea was save the config to a floppy, write protect that, and the box
    couldn't be written to. I fancied getting that until I saw that the
    price was 1,000 USD.

    It had disappeared from their website last time I looked (a couple or
    more years ago).

    --
    Paul Sture

    Sue's OpenVMS bookmarks:
    http://eisner.encompasserve.org/~stu...bookmarks.html

  15. Re: VMS cluster behind a *NIX firewall

    On 08/03/07 00:08, P. Sture wrote:
    > In article ,
    > koehler@eisner.nospam.encompasserve.org (Bob Koehler) wrote:
    >
    >> In article <1186097570.039629.170140@m37g2000prh.googlegroups. com>, Doug
    >> Phillips writes:
    >>> Many of which run *nix, but are single-purpose appliances and who
    >>> cares what they run as long as they do the job.

    >> Yes, but you can get those which aren't. (I know an entire
    >> infrastructure protected by firewalls running on Solaris, I sure
    >> hope they keep up the OS patch level.)

    >
    > Going back a few years, SuSE did a CD which was a firewall. The general
    > idea was save the config to a floppy, write protect that, and the box
    > couldn't be written to. I fancied getting that until I saw that the
    > price was 1,000 USD.


    US$1000???? Wow!!!! What a rip-off.

    Such a technique is relatively simple. I'm sure you could still
    find community-driven CD-thumbdrive firewalls.

    > It had disappeared from their website last time I looked (a couple or
    > more years ago).
    >



    --
    Ron Johnson, Jr.
    Jefferson LA USA

    Give a man a fish, and he eats for a day.
    Hit him with a fish, and he goes away for good!

  16. Re: VMS cluster behind a *NIX firewall

    On 08/02/07 21:37, Paul Raulerson wrote:
    >
    >> -----Original Message-----
    >> From: Ron Johnson [mailto:ron.l.johnson@cox.net]
    >> Sent: Thursday, August 02, 2007 9:11 PM

    [snip]
    >> Why not? FreeBSD on x86 is Unix, and Unix is Unix, no matter the
    >> platform.
    >>

    >
    > Using a non-x86 system defeats an enormous number of script kiddies and
    > such. Not all that many bad-hackers have access to Power or Alpha or other
    > UNIX systems, they are tied to their Windows PCs. Also, it often makes
    > it easier to detect issues like that. An x86 executable sticks out like a
    > sore thumb!


    Good point. An OS/CPU monoculture definitely is a bad thing.

    Which is why I mentioned FreeBSD instead of Linux. It (and OpenBSD
    and NetBSD) uses a different cc and libc, thus generating different
    entry points into libc, etc, thus effectively negating any binary
    rootkit aimed at x86 Linux.

    --
    Ron Johnson, Jr.
    Jefferson LA USA

    Give a man a fish, and he eats for a day.
    Hit him with a fish, and he goes away for good!

  17. Re: VMS cluster behind a *NIX firewall

    In article ,
    koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    > In article <1186097570.039629.170140@m37g2000prh.googlegroups. com>, Doug Phillips writes:
    >>
    >> Many of which run *nix, but are single-purpose appliances and who
    >> cares what they run as long as they do the job.

    >
    > Yes, but you can get those which aren't. (I know an entire
    > infrastructure protected by firewalls running on Solaris, I sure
    > hope they keep up the OS patch level.)


    Why? There is no access to raw Solaris for outsiders to attack (unless
    you are talking about homegrown firewalls rather than commercial offerings).
    Some of the most common firewalls on the INTERNET are actaully just Solaris
    boxes running a commercial application (with suitable changes to the
    base configuration as prescribed by the vendor.)

    I ran home built firewalls (built on top of FreeBSD) for our department
    for 15 years before we went with our first commercial box (Cisco). I
    never once had anyone hack the box even though I logged lots of attacks.
    The only reasons for changing to the Cisco box were performance and the
    University's desire to finally accept that we exist and should be figured
    into their infrastructure (but then, that was always politics anyway).

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    bill@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  18. Re: VMS cluster behind a *NIX firewall

    Bill Gunshannon wrote:
    > In article ,
    > koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    >
    >>In article <1186097570.039629.170140@m37g2000prh.googlegroups. com>, Doug Phillips writes:
    >>
    >>>Many of which run *nix, but are single-purpose appliances and who
    >>>cares what they run as long as they do the job.

    >>
    >> Yes, but you can get those which aren't. (I know an entire
    >> infrastructure protected by firewalls running on Solaris, I sure
    >> hope they keep up the OS patch level.)

    >
    >
    > Why? There is no access to raw Solaris for outsiders to attack (unless
    > you are talking about homegrown firewalls rather than commercial offerings).



    Not true! Unpatched Solaris 8, 8, & 10 with Telnet enabled has a bug
    which will allow an attacker to log in as "bin".

    Solaris isn't as easy as Windows but it does have vulnerabilities!
    There are a lot of things you can do to "lock it down" but it is by no
    means "secure"!


  19. Re: VMS cluster behind a *NIX firewall

    In article <46B3275C.70509@comcast.net>,
    "Richard B. Gilbert" writes:
    > Bill Gunshannon wrote:
    >> In article ,
    >> koehler@eisner.nospam.encompasserve.org (Bob Koehler) writes:
    >>
    >>>In article <1186097570.039629.170140@m37g2000prh.googlegroups. com>, Doug Phillips writes:
    >>>
    >>>>Many of which run *nix, but are single-purpose appliances and who
    >>>>cares what they run as long as they do the job.
    >>>
    >>> Yes, but you can get those which aren't. (I know an entire
    >>> infrastructure protected by firewalls running on Solaris, I sure
    >>> hope they keep up the OS patch level.)

    >>
    >>
    >> Why? There is no access to raw Solaris for outsiders to attack (unless
    >> you are talking about homegrown firewalls rather than commercial offerings).

    >
    >
    > Not true! Unpatched Solaris 8, 8, & 10 with Telnet enabled has a bug
    > which will allow an attacker to log in as "bin".


    And you are assuming that the vendor would not gtell them to turn off
    telnet. I have had telnet turned off on every server box of any kind
    for years. I doubt any commercial firewall relies on telnet for access.

    >
    > Solaris isn't as easy as Windows but it does have vulnerabilities!
    > There are a lot of things you can do to "lock it down" but it is by no
    > means "secure"!


    You guys keep telling yourselves that. Meanwhile, Unix is still
    growing market share and VMS is shrinking. Seems the rest of the
    industry just doesn't seem to have as many problems with it as
    the VMS community.

    bill

    --
    Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
    bill@cs.scranton.edu | and a sheep voting on what's for dinner.
    University of Scranton |
    Scranton, Pennsylvania | #include

  20. Re: VMS cluster behind a *NIX firewall

    On Aug 3, 4:27 am, Ron Johnson wrote:
    > On 08/03/07 00:08, P. Sture wrote:
    >
    > > In article ,
    > > koeh...@eisner.nospam.encompasserve.org (Bob Koehler) wrote:

    >
    > >> In article <1186097570.039629.170...@m37g2000prh.googlegroups. com>, Doug
    > >> Phillips writes:
    > >>> Many of which run *nix, but are single-purpose appliances and who
    > >>> cares what they run as long as they do the job.
    > >> Yes, but you can get those which aren't. (I know an entire
    > >> infrastructure protected by firewalls running on Solaris, I sure
    > >> hope they keep up the OS patch level.)

    >
    > > Going back a few years, SuSE did a CD which was a firewall. The general
    > > idea was save the config to a floppy, write protect that, and the box
    > > couldn't be written to. I fancied getting that until I saw that the
    > > price was 1,000 USD.

    >
    > US$1000???? Wow!!!! What a rip-off.
    >


    Today, it would be a rip-off. "Going back a few years," though, $1000
    was not unreasonable for a commercial-grade firewall appliance that
    was less capable than today's SOHO-grade %50-$100 router/switch/FW
    box. Going back a few more years a VT-102 dumb terminal cost ~$2,500
    and +$5,000 wasn't unreasonable for a good PC [oxymoron alert!]

    My HD TV would have cost at least 3x more had I bought it two year
    earlier, and not long ago the CD/DVD RW like that built into my lap-
    top would have cost considerably more than what I paid for the entire
    lap-top.

    Such is tech. How soon we forget.



+ Reply to Thread
Page 1 of 2 1 2 LastLast