root travels through the QNX4 nodes

Hi,

How do I protect QNX4 node? The problem is that any root from any other QNX4
node remains root on my node too. Does it mean that anyone, who can plug
the notebook into my presumably private LAN, can destroy the system?

Can I somehow tell the system that it must deny network connections from any
nodes except, say, 1,2 and 3?

Thanks

DMitri <ivdal@yahoo.com> wrote:

Hi,

How do I protect QNX4 node? The problem is that any root from any other QNX4
node remains root on my node too. Does it mean that anyone, who can plug
the notebook into my presumably private LAN, can destroy the system?

Can I somehow tell the system that it must deny network connections from any
nodes except, say, 1,2 and 3?

No. There is no way to do that kind of access control.
However, you can limit incomming/outgoing VC. Take a
look of “-L” (-L1, -L2) option of Proc32 (use /boot/sys/Proc32).

-xtang

It’s been a while since I’ve done this, but I thought you could fully
populate netmap and tell Net not to allow changing netmap.

Details:

If you have 20 node licenses (find out with ‘licnese’) then Net can receive
packets from nodes 1 through 20 (not counting you own node number) on each
lan. Make sure that your netmap has an entry for every node number for
every lan. I.E. If you don’t have nodes 16-20 yet just make up numbers.
Then tell Net not to auto add new MAC addresses (use Net).

What this does is tell Net that if a packet didn’t come from a MAC address
that’s already in your netmap then the packet should just be ignored.


Bill Caroselli – 1(626) 824-7983
Q-TPS Consulting
QTPS@EarthLink.net


“Xiaodan Tang” <xtang@qnx.com> wrote in message
news:a2jtvn$5hp$1@nntp.qnx.com

DMitri <> ivdal@yahoo.com> > wrote:
Hi,

How do I protect QNX4 node? The problem is that any root from any other
QNX4
node remains root on my node too. Does it mean that anyone, who can
plug
the notebook into my presumably private LAN, can destroy the system?

Can I somehow tell the system that it must deny network connections from
any
nodes except, say, 1,2 and 3?

No. There is no way to do that kind of access control.
However, you can limit incomming/outgoing VC. Take a
look of “-L” (-L1, -L2) option of Proc32 (use /boot/sys/Proc32).

-xtang

DMitri <ivdal@yahoo.com> wrote:

Hi,

How do I protect QNX4 node? The problem is that any root from any other QNX4
node remains root on my node too. Does it mean that anyone, who can plug
the notebook into my presumably private LAN, can destroy the system?

Can I somehow tell the system that it must deny network connections from any
nodes except, say, 1,2 and 3?

Run Net with the -A command line option. Then, Net won’t automatically
add nodes to its netmap when an incoming request comes in, and no nodes
that aren’t in your existing netmap can be talked to, so if someone
just plugs into your lan, they can’t talk to your computers.

Well… if they can sniff the packets, and can spoof the MAC address
of oneo f your machines already on the lan, then they can still hack
into your machines.

Effectively, to get any network security, you really need physical
security, but the above makes things a bit harder.

Otherwise, the QNX network model is essentially that all machines on
the network are really one big virtual computer running on multiple
CPUs (transparent networking) – there is effectively no inter-node
security.

-David

QNX Training Services
I do not answer technical questions by email.

Otherwise, the QNX network model is essentially that all machines on
the network are really one big virtual computer running on multiple
CPUs (transparent networking) – there is effectively no inter-node
security.

And this is a good-thing IMO. If I want traditional (every node is a
self-contained island) networking, then there are plenty of other
options available. QNX networking is a different tool than
“conventional” networking (it’s a shame they both have the term
“networking” in them really).