IBM Mainframe Forum

Hi all,

I want to protect my pc "ip address" and my network range of addresses. so I defined this lines in tcpip.profile :


NETACCESS INBOUND OUTBOUND
172.20.149.8/32 MYPC ;my workstation
172.20.149.0/24 MYSUBNET ;my workstation subnet
DEFAULT 0 WORLD ;everything else
ENDNETACCESS


also this profiles in servauth class in racf:

EZB.NETACCESS.OSMELLAT.TCPIP.MYPC
EZB.NETACCESS.OSMELLAT.TCPIP.MYSUBNET
EZB.NETACCESS.OSMELLAT.TCPIP.WORLD

after activing new tcpip.profile and racf profiles, I cannot ping from mainframe to pc:

ICH408I USER(RASTGAR ) GROUP(SYS1 ) NAME(MEHRDAD RASTGAR )
EZB.NETACCESS.OSMELLAT.TCPIP.MYPC CL(SERVAUTH)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )

but from pc, I still can ping to my mainframe Ip address !!!

I think after defining the above profiles, ping from both ways should be banned.

any idea?

best regards
mehrdad

Hi,

Do you want to disable the Ping command from PC ? or Just a user should get a message as you are not authorized to Ping or something ?

Could you please clarify ? Did you try with the other two Profiles and what does it says ?

Jaggz

Hi,

No I do not want to disable ping.ping was just a test for me. I want to disable telnet from all stations,except my personal PC and my personal userid. so I defined NETACCESS zones in tcpip profile and defined NETACCESS profiles in racf. then I permited READ access to my userid in profile EZB.NETACCESS.OSMELLAT.TCPIP.MYPC.

I expect that telnet was banned from all stations and userids, except mypc and my userid.

but servauth profiles doesn't work on my system.

I did all this process based on IBM documents.

is there anything wrong?

Best regards

Hi,

"but servauth profiles doesn't work on my system. "

Please check if SERVAUTH class is activated or not ? If not try to activate it by CLASSACT(SERVAUTH).

HI

no.I's sure that servauth class is active. because in pinging from mainframe to my network zone (mypc) , servauth profile banned me:

ICH408I USER(RASTGAR ) GROUP(SYS1 ) NAME(MEHRDAD RASTGAR )
EZB.NETACCESS.OSMELLAT.TCPIP.MYPC CL(SERVAUTH)
INSUFFICIENT ACCESS AUTHORITY
ACCESS INTENT(READ ) ACCESS ALLOWED(NONE )


but it connot prevent telnet from MYPC to mainframe. why?


best regards

Have you looked at EZARACF in SEZAINST? That mentions resource EZB.PORTACCESS.sysname.tcpprocname.port

Hi,

Hope you Did SETR RACLIST(SERVAUTH) REFR after permitting ?

Hi,

Yes I use "refresh" command after defining and permiting.

"Portaccess" doesn't satisfy me. because I want to find a way for limitting a userid to his/her tcpip terminal. Netaccess is my best choise. But unfortunately netaccess doesn't work for telnet access from different netaccess zones.after activing netaccess profiles, still anyone can logon from anywhere.


all the best

Hello,

still anyone can logon from anywhere.

Which is how it is intended to work . . .

Why does someone believe this is a problem?

In most organizations, ip addresses and/or terminal ids are acquired dynamically making this restriction obsolete (if it ever was needed).

Keep in mind that your environment may be upgraded someday so that there are no "permanent" ip addresses for terminals . . .