IP Tips: Networking, Routers and Firewalls
The following constructs and concepts are typical when you're setting up a small IP network; some considerations when configuring with or working with static addressing and commodity firewall routers on various platforms, including using these devices with OpenVMS, Mac OS X or Linux and small home or small business networks…
When you start looking at the devices here, remember that commodity IP routers and firewalls do not have deep technical support.
Product support is a feature infeasible with the typical product price that can be charged for a commodity network device. You cannot expect to call for support with a commodity product, much less for for assistance with non-trivial configuration requirements, or with platforms outside the target set. Additionally, most commodity routers and support organizations are expected to be configured with Microsoft Windows, possibly with Mac OS X or with Linux, and almost certainly not with OpenVMS.
How to Choose
When you are choosing devices, the trade-offs here tend to be simple: price. Establish your budget. But do not make the mistake of buying based on price first; look at your requirements and your budget. When choosing a router, first evaluate what features you need and what features you want. Router products are available with wireless capabilities and with firewalls, and with many additional capabilities. And at a variety of prices.
Firewalls (firewall routers) have varying capabilities, with the base configurations being little more than NAT and the simplest of filtering capabilities. Routers with DMZ capabilities are more useful and flexible, and can have IPv4 or (better) with IPv6 capabilities; advanced sites and commercial sites will want to and often need to look to devices with a DMZ and port-forwarding capabilities.
For a firewall intended for a server for a small network, you will want to consider and potentially select a firewall with minimal VPN (virtual private network) capabilities, or better. Using a VPN, the remote client box can appear to be connected to the target network. VPN mechanisms include L2TP and PPTP, among other tunneling schemes. The VPN authentication can be certificate-based, local to the firewall or (better) with a host behind the firewall via RADIUS authentication; plan not only for enough users through the VPN, but also for the remote revocation of access credentials should a client laptop be lost, or should a remote user no longer be appropriate for access.
So-called Internet Routers inevitably offer some sort of firewall, and often offer wireless capabilities.
If you need a simple router or even a network switch, get it.
If you need a router that provides Dynamic Host Configuration Protocol (DHCP) addressing, Network Address Translation (NAT) and demilitarized zone (DMZ) networking capabilities, expect a more complex device and a higher cost.
Do you need or want IPv6 networking? All routers offer IPv4. Your ISP may or may not offer IPv6. If your ISP does now or will soon offer IPv6, having IPv6 can be quite useful. OpenVMS, Mac OS X, Linux and Microsoft Windows have IPv6 capabilities.
The following list are some of the basic considerations, particularly when you are looking for an IP routing device for use with OpenVMS, Mac OS X or Linux, whether or not Microsoft Windows is in use. In particular, you will want to consider and possibly purchase a router with the following capabilities:
| Feature | Consideration |
|---|---|
| Host Software | Avoid routers that require any host software for managing or maintaining the router. |
| DHCP | If you need IP address assignment, get it. You may (do?) already have it. Mac OS X Server, OpenVMS TCP/IP Services and most dedicated firewall-router devices can provide this. |
| NAT | If you're using IPv4, you'll need this. Well, you'll need NAT if you don't also have static addresses. If you're using IPv4 in an IPv6 network, you likely (also) need some form of NAT. |
| DMZ | If you are planning on implementing servers, you will want some form of port forwarding or DMZ capabilities. |
| WiFi | If you need wireless, get it. Expect to have a firewall configured in any WiFi-capable router. HoffmanLabs prefers to operate these devices as Access Points (APs; also known as Bridging) and not as IP routers. |
Details on each of these areas follow.
No Host Software
You want the router to be free of any and all host software requirements; this is arguably the most central requirement for use with multiple platforms, and across platform upgrades.
This means that the router can be operated from and managed across multiple platforms. Should you be in the usual position of running a homogeneous Windows network, this is still a consideration, as this means the router is largely or entirely independent of the Windows version.
CDs containing manuals are OK, though the manuals may or may not be particularly useful. Another area of a typical commodity product that is eliminated when pricing is established: documentation. Documentation exists to reduce or to eliminate support calls, and particularly for those areas of the product that are insufficiently transparent due to cost-reductions in the UI development.
DHCP
A DHCP server has the ability to assign IP addresses to clients from an available pool of addresses, or from a static assignment of MAC addresses to IP addresses. DHCP can also assign the DNS server addresses and the IP gateway for the particular subnet. (The IP gateway for a small network is usually the firewall.)
If you need a DHCP server for your network, get one.
More than a few commodity networking devices have DHCP services, so you might or might not need this capability within your particular device. You might already have a DHCP server.
OpenVMS with TCP/IP Services V5.5 and later can operate with DHCP dynamic IP addresses as clients of a DHCP server, and all IP-capable releases can operate with static IP addressing. DHCP V5.0 and later provide DHCP Server. If you are planning on accessing your OpenVMS box directly from your own LAN (or even remotely), having a static IP address assigned from one of the private address blocks makes this task rather easier. (More on these private address blocks later.)
Mac OS X Server also provides a DHCP server.
As part of DHCP, you'll sometimes see 169.254.1.1 through 169.254.254.254 active; these addresses are in the Automatic Private Address Configuration Automatic Private IP Addressing (APIPA) IANA reserved range. If you see one of these 169.254.0.0/16 addresses active on a network, a host is either seeking an IP address, or a DHCP address request has failed.
NAT
Network Address Translation (NAT) is a form of segmented addressing; a way to stuff more memory into a smaller address space. NAT is one external IP address, with many internal addresses located behind it. These internal networks are private and hidden. The NAT device accepts the internal client's outbound traffic, and maps the responses returning from that host back to the originating internal IP address. This works fine for client networks, but is a bit more of a problem with a server network; where there are connections into the private network. By default, NAT acts as a firewall, and drops these connections.
These hidden or private networks are often implemented with the private IP address ranges provided by RFC 1918. RFC 1918 provides the CIDR 10.0.0.0/8 (10.0.0.0 through 10.255.255.255; the old private Class A), 172.16.0.0/12 (172.16.0.0 through 172.31.255.255; private Class B), and 192.168.0.0/16 (192.168.0.0 through 192.168.255.255; private Class C). These private addresses are not allowed to pass through a router and onto the Internet.
If you are establishing a private network, stay out of 192.168.0.0/16 entirely, as that causes issues with VPN routing and tunnels; most every coffee shop on the planet uses subnets in that block, and having the same subnet on both ends of a VPN causes IP routing problems.
HoffmanLabs recommends the use of a subnet somewhere in 10.0.0.0/8 or 172.16.0.0/12 blocks. Subnets within these IP blocks are less likely to conflict with other private network address assignments, and thus avoid IP routing issues if (when?) VPNs become necessary.
A network manager can choose to use a private network throughout the organization, or can use a combination of public and private addresses within the network. In any event, a private address is expected to be filtered or translated before the traffic is passed over the Internet. You might see a specific range of addresses assigned for static addresses, and for devices such as firewall routers or network-based printers or such devices.
HoffmanLabs strongly recommends against using NAT within an organization where that's feasible; NAT causes problems, and double-NAT causes more problems.
If you do use NAT and if you are planning on configuring servers for various protocols, you will want a router with static addressing and port-forwarding capabilities.
In the case of IPv4, NAT and RFC 1918 addressing is how you get enough IP addresses when the architectural limits were exceeded eons ago, and (if for those of a cynical inclination) how an ISP can preserve the profit potential of a limited address space while also avoiding deploying widely-available router upgrades.
If you choose to use one of these private network ranges, it is best to assign as many addresses via DHCP as you can reasonably achieve. Only those hosts providing services should be assigned static IP addresses. This reduces — but does not eliminate — the effort involved in re-addressing a network.
More than a few folks seem to think NAT is useful. NAT is a hack. NAT is not security. NAT is a mess. Double-NAT is worse. IPv6 avoids this particular 32-bit addressing limitations, and an IPv4 or an IPv6 firewall is a firewall. And as for supposed benefits of NAT — if you really want to — you can NAT IPv6. But it's easier not to. IPv6 is a flat address space.
Unfortunately for the elimination of hackery, a version of NAT may well live on in IPv6 as a way for IPv4 applications to connect over an IPv6 network.
The device that is providing NAT is usually also the default IP gateway for IP routing on the particular subnet.
DMZ
These can range from a simple hole through the firewall connecting to a specific server, or a more flexible (and sometimes more complex) configuration.
These mechanisms can be called “port mapping” or “virtual server”. Port mapping punches a hole through the firewall.
A DMZ acts as a nested set of firewalls; where you have one or more servers — often called the red or hot or DMZ LAN — that are accessible from the Internet through certain ports and for certain functions, and another set of clients and servers that are located fully inside the firewall and inaccessible from the Internet.
Various routers have an easily-configured DMZ, and various routers can have a fairly ugly mechanism. Which you have depends on the particular router.
DMZ capabilities can range from limited or no capabilities to more extensive and flexible capabilities. At its simplest, you'll see port forwarding (of everything, or of a subset of the traffic) to a specific host. Other firewall routers will have the ability to route through multiple addresses, having one or more external static addresses, and an external NAT address. Moderate- to high-end firewalls will have a dedicated LAN port for the DMZ LAN.
Static Addressing and Web Servers; Remote Access
Ensure that configuring and operating a web server or other IP server (or daemon) is permitted by your ISP terms of services. In many instances, the ISP permits only client access to the Internet, and specifically prohibits servers from being configured. Whether or not servers operate is another and separate issue, though sooner or later the ISP might notice the presence of one or more servers.
ISPs will often charge extra for this access, and ISPs can choose to block server-level protocols; the ISP may choose to block ports used by specific protocols. Port-level blocks are used both to provide tiered service, and to reduce the exposure of the ISP to botnet-infected traffic among client hosts. Malware can use IRC for command and control, and malware can use the various server ports to distribute spam and to launch distributed network attacks. More than a few pieces of malware contain full SMTP servers, for instance — the malware can start up its own SMTP server and start distributing spam from one or more of your clients.
Common Firewall Ports
Here are some of the typical IP ports, including ports used for various servers.
| Port | Permissible? | Application |
|---|---|---|
| 22 | Allow? | The ssh secure shell. |
| 23 | Block? | Telnet is comparatively insecure, and HoffmanLabs discourages its use. SSH can be a better choice. There are environments and situations where it is used, however. |
| 25 | Block? | An SMTP mail server operates on this port, and various others. |
| 80 | Allow? | http traffic. Web servers such as Apache, Secure Web Server (SWS; a pre-built version of Apache for OpenVMS), WASD (threads-capable web server for OpenVMS), LightTPD, Microsoft IIS or otherwise. |
| 113 | Block | IdentD. Used to identify the client. Often blocked for security reasons. |
| 443 | Allow? | https traffic. Various web servers using encrypted traffic. |
| 587 | Block | ESMTP submission traffic. Authenticated SMTP submissions. |
| 6667 | Block | IRC traffic. Most folks are not running IRC servers. Clients, yes. Botnets run servers. (Though botnets can also use http and icmp and other traffic for coordination, as well as many other protocols for their payloads. |
There are many, many, many other ports. It is best to block them all, as malware typically knows more about these other ports than you do. If you are operating a server, you may want to allow specific ports as suggested above, though you will want to block all ports you do not use. Though
Firewall Routing
Other areas to look for include the addressing requirements for what the firewall routing device can call passthrough routing, DMZ, or similar. This if you require the ability to establish and protect servers; to use static IP addressing.
Yes, dynamic DNS can provide routing to dynamically-addressed (DHCP) hosts. This can avoid the cost of static addressing, though you will have the added complexity and cost of maintaining the link with a provider of dynamic DNS services. And you will still have to ensure your direct ISP permits server-oriented traffic.
The device that is providing firewall services is usually also the default IP gateway for IP routing on the particular subnet.
Security
If you are connected to the Internet, you will be attacked. Period. Probably sooner than you might expect. HoffmanLabs received its first attack within a few hours of having connected to the network with a static address, and before any evidence of the port existed outside the firewall.
Use available tools to probe your own firewall. Ensure your firewall is set to drop all inappropriate traffic. Malformed packets or deliberately-induced protocol errors, port scans and such should be stopped before they reach your internal network.
Examples of malformed packets include the so-called Ping Of Death (PoD) detailed in CERT Advisory CA-1996-26 Denial-of-Service Attack. The Ping of Death crashes an unpatched OpenVMS system running TCP/IP Services V4.0 and V4.1, and can also crash various other IP stacks on other platforms. Examples of induced protocol errors include ARP and SYN floods.
Routers (firewalls) that provide intrusion detection or at least logging are preferable to those that do not. syslog is a common protocol used to log firewall traffic.
At a very minimum, launch a port-scan against your systems using a resource such as GRC ShieldsUp, or using any of the widely-available tools for port scanning. Many operating systems include these tools, such as the Network Utility found in the Mac OS X Application Utilities directory. Open-source tools are available for OpenVMS. A port of Nmap — if not available somewhere — might well be feasible. (If you know of a port of a port scanner such as Nmap, please contact HoffmanLabs.) Running a firewall probe via GRC or via a handy Mac OS X, Unix or Linux box may be easier, however.
The other component of network security is authentication, this whether via SSL or certificates or otherwise. This authentication discussion is beyond the scope of this article.
Reserved IP Addresses and Address Blocks
There are various reserved IP addresses and reserved IP blocks. The following are a sample of some of the IP addresses and multicast addresses you may see on an IP network.
The 169.254.0.0/16 block is reserved for hosts giving themselves an address; an address that is assigned when no DHCP and no coordination is available; this is the so-called Link Local block.
127.0.0.0/8 is reserved for various purposes per RFC 3330, and includes the IP loopback or localhost address — the address that allows an IP host can connect to itself — as 127.0.0.1.
The previously discussed private blocks; the private IP address ranges provided by RFC 1918. Specifically, RFC 1918 provides the CIDR 10.0.0.0/8 (10.0.0.0 through 10.255.255.255; the old private Class A), 172.16.0.0/12 (172.16.0.0 through 172.31.255.255; private Class B), and 192.168.0.0/16 (192.168.0.0 through 192.168.255.255; the old private Class C). These private addresses are not allowed to pass through a router and onto the Internet.
If you are establishing a private network, HoffmanLabs recommends avoiding 192.168.0.0/16 block entirely due to its widespread use and inherent conflicts with IP routing with current or future use of VPN connections, and recommends the use of subnet(s) somewhere within the 10.0.0.0/8 or 172.16.0.0/12 blocks.
224.0.0.0/4 is an IPv4 multicast block. You'll see addresses here when there is DHCP activity; ensure you don't block this address range when you're using DHCP. 224.0.1.1 is used for NTP multicast LAN-based timekeeping.
IPv6
IPv6 has various advantages, not the least of which is the complete elimination of NAT (for hosts using IPv6), and greatly-simplified address management. IPv6 is easier to configure and easier to use.
IPv6 does mean that ISP needs IPv6-capable routing, though also do not need to deal with the (limited) IPv4 address space. And users do not need to deal with NAT.
SMTP: Simple Mail Transport Protocol
If you expect to operate an SMTP server such as that on OpenVMS, you will typically require a static IP address and a way to connect from your OpenVMS, Linux or Mac OS X server to the ISP mail system. Some ISPs will require authenticated SMTP (ESMTP; SMTP AUTH), and OpenVMS and particularly the TCP/IP Services SMTP client transport does not provide this.
Clients on other platforms can provide this, and clients on OpenVMS including Mozilla Navigator mail and PINE can provide authenticated SMTP.
If you are expecting to use dynamic IP addressing or are otherwise prohibited from using an SMTP server and port 25, you will have to use PINE or Navigator or another similar client. Message submissions are made via ESMTP and port 587, and mail is retrieved from the ISP SMTP server via POP or IMAP protocols.
Networking and DNS
There are two sides or aspects of configuring a firewall router, the ISP side of the firewall, and your internal network side. You'll need to know details for both, with information from your ISP around that side of the firewall, and local settings for your internal network.
Having functional DNS services is a common requirement for server operating systems. If your servers have public static IP addresses, your ISP may well be handling your DNS, or you might be using an open provider of DNS such as Google DNS. If you are using private address blocks, you may or will need to run DNS locally, depending on your environment and your servers. And you can then choose to establish DNS forwarding from your DNS server(s) along to your ISP DNS server(s), or to Google's 8.8.8.8 and 8.8.4.4 servers, though establishing DNS forwarding is not necessary.
Obtain your static IP address(es) and the external (ISP) DNS addresses for your firewall router from your ISP, or set your firewall router to use DHCP address assignment from the ISP; the former is common with business-class service from various ISPs, while the latter is usually a residential or lower tier of service. Which of these mechanisms you use depends on your ISP and whether or not you have public static address(es). As mentioned, you may choose to and may well need to be running DNS server(s) within your own network as well; Mac OS X Server offers DNS, as does OpenVMS and most other server operating systems, as do some mid- and high-end dedicated network server devices.)
Obtain the address for the SMTP mail server and whether you can use SMTP or if you need ESMTP from your ISP, and the address for the NNTPD server and other network application servers as required. You may need a password for the SMTP server.
Establish your router address and your subnet mask on your own network; inside your network. If just starting out, you'll likely be on one of the private networks. If you're using DHCP on your own network, set up the pool of addresses. Your firewall router is usually also your IP gateway router, whether that information is explicitly configured or (more commonly) downloaded from the DHCP server as part of acquiring an IP address.
Make sure you do not mix static addresses you might assign for servers or network printers and such with the DHCP pool you are using. This regardless of what device you are using for DHCP.
Cautions
Firewall-Routers have varying capabilities, and cheaper devices tend to have fewer or less flexible capabilities, or lower speeds. If you are running a home network with clients, most any recent firewall-router will be appropriate. Running servers requires more features of the firewall-router; you're now receiving unsolicited incoming network traffic.
- Some firewall-routers have limited or no DMZ capabilities, or cannot manage multiple external IP addresses.
- Some firewalls have limited security configurations
- Some firewalls cannot stealth themselves.
- Some firewalls lack syslog capabilities.
- For OpenVMS folks: OpenVMS Clustering does not operate over IP, though DECnet-Plus can. (HP may add clustering over IP circa V8.4, per the OpenVMS Roadmap.
Do Not Expect Product Support
As a general rule, product support does not exist for commodity products. You should see a warranty swap for a hard device failure, but not much assistance in networking. This is a very central and very important consideration in your purchases.
Fielding one support call can obliterate any profit from the sale of a commodity product.
The product support script available to the support team will include answers to the core product questions, including “is it plugged in?” and “Did you read the manual?” And the sales or support organization will field return authorizations for dead products.
But you didn't pay enough to have support for IP networking or IP routing questions.
If you want to ask questions, either don't buy a commodity product, or you can acquire specific assistance from HoffmanLabs.
Addendum: Routers, Bridges, Switches and Firewalls
The following is a very quick introduction to some common devices encountered on an IP network.
IP is a common network protocol, and the basis for network communications in most environments. Discussions of IP, UDP, TCP and IP routing will be the subject of another future article here at HoffmanLabs; the following is a simplified comparison of the key devices.
Defined: IP Router
An IP Router is a network device with several network interface controllers; with several NICs.
A router is specific to a network protocol. An IP router can route IP, and no other protocols. A DECnet router routes DECnet. And some devices can include multiple routing stacks; can route both IP and DECnet, through their respective routing stacks.
An IP router receives an IP packet on one interface, and determines the destination and forwards and retransmits that data on a different interface. The typical IP router considers the destination address of the IP packet (and only the destination address, for typical routers), and routes the packet toward either toward another router that reports a path to the destination address, or toward the specific host when the packet is local to the network containing the router. The most common examples seen in small networks are ADSL (DSL) routers, cable network routers, and firewalls.
Most any Mac OS X, Microsoft Windows, Linux and HP OpenVMS box with two or more NICs can be used as IP routers, but these solutions are comparatively awkward to configure and operate and comparatively slow routers; general-purpose systems inherently involve more host software and hardware overhead when processing the IP packets. Host-based routers tend to lack of specialized hardware and firmware intended to speed the IP processing. Host-based routers are more expensive than dedicated routers, and slower. Accordingly, HoffmanLabs prefers to avoid using a general-purpose host as an IP router.
Static routing declares the particular NIC(s) associated with an IP host address or IP subnet. A static route is configured by the network manager, and is used by an IP router to locate the path (route) to the specified host.
The default (gateway) router is a local IP router is typically declared as the default gateway; as the router that receives all IP traffic that is not recognized within the local LAN, and that does not have a static route declared. This is the route used for all other remote network traffic. In small networks, the gateway is usually the firewall router.
Defined: Firewall
An IP Firewall is a specialized form of an IP router, and performs various additional processing on the IP network traffic beyond the IP target address. In particular, an IP firewall can look at the particular type of IP packet and at the address; at whether the packet should be forwarded along to the target host.
Similar to host-based routers, host-based firewalls are also more expensive than dedicated network firewalls, and slower. HoffmanLabs does use host-local firewalls for host-local traffic, but does not prefer to use a general-purpose host as a network firewall. The dedicated devices are more cost-effective, and faster.
Defined: Switches
Switches are lower-level devices than routers, and have fundamental differences from an IP router and routing discussed earlier; put simply, a switch does not consider IP networking when making its decisions.
A switch will have two and usually more network interfaces. An arriving network packet reaches the switch, and the MAC address within the packet is used to determine which port will receive the packet — the MAC address is an Ethernet or WiFi address and is different from the IP address discussed with routing — and the switch then sends the packet to that network device or (on some of the more primitive switches) to all other connected devices.
A switch gives no consideration to the IP network address nor consideration to routing nor gateway hosts, nor even whether the network packet that is arriving at the switch is an IP packet. Because of this transparency, switches are compatible with IP packets, as well as for DECnet, SCS clustering traffic, LAT and most any other network protocol that operates over Ethernet.
Switches are usually lower-cost and higher-performance than routers.
In a manner of consideration, a switch looks and works like a hunk of Ethernet cabling; these devices are transparent to network traffic.
Hosts are generally not used as bridges or switches, and generally make comparatively poor routers.
Related Topics
In addition to the Index: Mac OS X Server and Client Networking topic index, here are some of the following topics here at HoffmanLabs may be interesting to readers of this article:
- What is the difference between a Static IP Address and a Dynamic IP Address?
- Security Tips: Your Server Got Hacked?
- Mac & OpenVMS Tips: Sftp And Ssh Certificate (No Password) Login
- Question About Security Options For Small Office Network
- HLRL: Virtual Private Network (VPN), SSL And Other Arcana
- Break-In Evasion Is Itself A DoS
- AskHL: Configuring FTP Services On Mac OS X
- Firewalls
- DNS Tips: Establishing A DNS Server On Snow Leopard
- Networking Tips: WiFi Configuration
- AskHL: Do I Need A Firewall?
Revision History
Most recent changes first.
- 27-Dec-2013 — added links to dynamic and static IP addressing
- 17-Jul-2011 — fixed some wording around the (lack of) need of a DNS forwarder.
- 22-Jan-2011 — added a link to Index: Mac OS X Server and Client Networking
- 8-Sep-2010 — added a link to AskHL: Do I Need A Firewall?.
- 22-Jul-2010 — suggestions around subnet allocation, and caveats around VPN routing.
- 16-Feb-2010 — minor rewording; links added.
- 27-Dec-2009 — added the Related Topics section, and links to other articles.
- 03-Dec-2009 — added a reference to Google DNS
- 16-Nov-2009 — updated some DNS-related wording, added a link to the Mac OS X Server DNS article.
- 7-Nov-2009 — updated and clarified some wording.
- 25-Aug-2009 — added references to the IP default gateway.
- 22-Jun-2009 — added a link to an existing DHCP article. Added this revision history section.
- 19-Aug-2008 — re-worked formatting, added updates per HP roadmap, and information around the likely survival of NAT in an IPv6 network as an IPv4 migration and coexistence tool.

Comments
For Reference...
From RFC 5737: The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation..
This parallels the example.org, example.com and example.net domains, which are reserved by RFC 2606, and thus among the IANA reserved domains, as well as the special-use domains including the .local domain. There are other special-use and reserved blocks, including for IPv6.
Potential DNS Name Collision Error: 127.0.53.53
More reference material... ICANN is using the IPv4 address 127.0.53.53 to indicate DNS configuration errors; a potential name collision.
No OpenVMS and no DECnet Firewalls
OpenVMS does not offer an integrated IP firewall with features akin to a modern host firewall, nor does OpenVMS offer a DECnet firewall.
This whether you are considering filtering IP traffic, or screening DECnet Phase IV DDCMP traffic, or filtering DECnet Phase V via DDCMP, OSI or TCP/IP or UDP/IP traffic.
DECnet Phase V is also known as DECnet/OSI, and as DECnet-Plus.
With DECnet-Plus over IP, a traditional external IP gateway firewall device must enable access to TCP port 399 to allow any DECnet connections to traverse the gateway firewall. Or the gateway firewall must be configured to block TCP 399, if DECnet over IP access is to be disabled.
Accordingly and in general, HoffmanLabs recommends against exposing an OpenVMS server to the Internet.
HoffmanLabs is not aware of a DDCMP or TCP-level firewall with better granularity for DECnet traffic; a device akin to the DIGITAL SecurityGate (DSG) product (SPD 36.20.xx), or of a modern IP gateway firewall.
IP Marco Polo
If you're interested in determining what is connected to a local IP broadcast (Ethernet) network, you can use the following shell commands:
The ping command presumes your host is configured within the 192.168.0.0/16 and specifically the 192.168.254.0/24 subnet, and specifically operating with a subnet mask of 255.255.255.0; it sends out a ping to every box in the subnet (here 192.168.254.1 to 192.168.254.254) using the subnet multicast address 192.168.254.255.
If you don't know the structure and use of an IP address and subnet routing and how to manipulate subnet masks, then this could be a little problematic. Calculators are available. You'll complement the value 255.255.255.0 or whatever your subnet mask is, and OR those lowest bits of your IP host address with what you get; with 0.0.0.255, in this case. If you have the host address 192.168.254.12 and the subnet mask 255.255.255.0, then the complement is 0.0.0.255 and ORing those bits into your IP address gets you the subnet multicast address of 92.168.254.255. Again, there are calculators for this.
This approach will not detect DECnet or SCS or any number of other network protocols that are connected and do have MAC addresses, but that lack IP addresses.
There are also commercial and open-source tools which will crawl through and try to “fingerprint” the boxes on a LAN, as well.