Discussion:
What is definition of a network for TCPIP SET /ACCEPT=NETWORK?
Add Reply
Dymaxion Development
2021-11-18 14:00:46 UTC
Reply
Permalink
I am getting the following error for (note the a and b are placeholders for actual numbers):

$TCPIP SET SERVICE SSH /ACCEPT=NETWORK=(a.b.241.0:255.255.255.0,a.b.242.0:255.255.255.0,a.b.243.0:255.255.255.0)
%TCPIP-E-SERVERROR, cannot process service request
-TCPIP-E-INVQUAL, invalid qualifier value for /ACCEPT.NETWORKS
-SYSTEM-F-TOOMUCHDATA, too much optional or interrupt data specified

The site has 7 full IP ranges to allow (this is just 3). How would you enter them?

The limit is 16 which I took to mean 16 network specifications not 16 IPs?

Any help would be appreciated.

TIA,

John Tran
Steven Schweda
2021-11-18 18:13:25 UTC
Reply
Permalink
Post by Dymaxion Development
The site has 7 full IP ranges to allow (this is just 3). How would you enter them?
Define "full IP range". But first:

tcpip show version

tcpip show service SSH /full

How _I_ would specify them would depend on what they actually are.
For example, "a.b.242.0:255.255.255.0,a.b.243.0:255.255.255.0" might
have been reduced to "a.b.242.0:255.255.254.0". But, before I did
anything, I'd clean out what's there now:

set service SSH /accept = nonetworks = *

My accept/reject script files include helpful(-to-me) comments like
these:

! Popular netmasks:
!
! 11111111 /8 = 255 11111110 /7 = 254 11111100 /6 = 252 11111000 /5 = 248
!
! 11110000 /4 = 240 11100000 /3 = 224 11000000 /2 = 192 10000000 /1 = 128
Post by Dymaxion Development
The limit is 16 which I took to mean 16 network specifications not 16 IPs?
Define "IPs".

https://en.wikipedia.org/wiki/Internet_Protocol
https://en.wikipedia.org/wiki/IP_address

I'd expect it to take 16 subnet specifications, but they do
accumulate.

I generally do /reject, not /accept, but my scripts all start with
commands like:

set service XXXX /reject = nohost = *
set service XXXX /reject = nonetworks = *

and then build upon the resulting clean slates. I don't hit any
unexpected limits. (But higher limits would be helpful to me.)
Dymaxion Development
2021-11-19 14:55:08 UTC
Reply
Permalink
Post by Steven Schweda
Post by Dymaxion Development
The site has 7 full IP ranges to allow (this is just 3). How would you enter them?
tcpip show version
tcpip show service SSH /full
How _I_ would specify them would depend on what they actually are.
For example, "a.b.242.0:255.255.255.0,a.b.243.0:255.255.255.0" might
have been reduced to "a.b.242.0:255.255.254.0". But, before I did
set service SSH /accept = nonetworks = *
My accept/reject script files include helpful(-to-me) comments like
!
! 11111111 /8 = 255 11111110 /7 = 254 11111100 /6 = 252 11111000 /5 = 248
!
! 11110000 /4 = 240 11100000 /3 = 224 11000000 /2 = 192 10000000 /1 = 128
Post by Dymaxion Development
The limit is 16 which I took to mean 16 network specifications not 16 IPs?
Define "IPs".
https://en.wikipedia.org/wiki/Internet_Protocol
https://en.wikipedia.org/wiki/IP_address
I'd expect it to take 16 subnet specifications, but they do
accumulate.
I generally do /reject, not /accept, but my scripts all start with
set service XXXX /reject = nohost = *
set service XXXX /reject = nonetworks = *
and then build upon the resulting clean slates. I don't hit any
unexpected limits. (But higher limits would be helpful to me.)
Thanks for your reply. By full IP range, I meant a.b.1.1 through a.b.255.255. IPs is just a single IP regardless of subnet mask.

I did the TCPIP SHOW SERVICE SERVICE /FULL and there were 13 other settings beforehand. D'oh. I was told there were none. So I mistook that it meant 16 individual IPs and not IP ranges or networks.

Thanks for your help!
Steven Schweda
2021-11-19 19:19:28 UTC
Reply
Permalink
[...] By full IP range, I meant a.b.1.1 through a.b.255.255. [...]
Why ".1.1", and not ".0.0"? "a.b.0.0:255.255.0.0" would cover what
_I_'d call the whole "a.b.*.*" range.
[...] IPs is just a single IP regardless of subnet mask.
I'll try again. Define "IP".

https://en.wikipedia.org/wiki/Internet_Protocol
https://en.wikipedia.org/wiki/IP_address

If you _mean_ "IP _address_", then your meaning would be clearer if you
_said_ "IP address".
[...] I was told [...]
Trust no one, I always say. "SHOW" is your friend.
Somewhat odd that CIDR syntax (e.g. 192.0.2.0/24, 198.51.100.0/28) was
never added here, as an aside.
Odd, and annoying. I'd be happy to ditch my handy mask-guide
comments.

Another related annoyance is that where that notation _is_ accepted
(like, say, SYS$SPECIFIC:[TCPIP$SMTP]TCPIP$SMTP.CONF), the whole address
must be specified, including the insignificant part. I've repeatedly
gotten bad data using copy+paste (carelessly) from whois.ripe.net or
whois.lacnic.net, which publish values like "186.188.128/17" instead of
"186.188.128.0/17", where the last ".0" conveys no useful information.
As an aside.

Loading...