Modular Software - Home PicLan-IP - Home

PicLan-IP Inbound TELNET Configuration

In order to use PicLan-IP for inbound TELNET connections, you must configure your system to accept these connections.  The following pre-requesites apply:

Configuring Inbound TELNET Ports

The first step in configuring inbound TELNET services is deciding on which Pick ports you are going to assign as inbound TELNET ports.  In general, inbound TELNET ports have the same restrictions as inbound PicLan IPX ports and are configured co-operatively with inbound PicLan IPX ports.
To configure inbound TELNET ports, you follow this proceedure:

Configuring Inbound TELNET Listen Rules

After you have setup one or more ports as inbound TELNET ports, you must setup inbound TELNET listen "rules".  These rules tell the PicLan-IP server threads about what TCP/IP addresses and ports it should listen for inbound TELNET connections, and if a connection is received, what action is to be taken.

The listen "rules" are configured in the PLIP.CTRL CONFIG item and take on the format:

You can specify multiple listen rules.  When processing inbound TELNET connections, the rules table is scanned from the beginning and the first rule that matches the connection is used to control the connection.
In this example, a TELNET listen is posted on the first configured IP address and TCP port 23 (the default for TELNET).  Connections from address 207.215.231.10 (with a sub-net mask of 255.255.255.255) will result in a connection to Pick port 250 or 251.  If the connection is idle for more than 20 minutes, it will automatically be disconnected. The use can use <ctrl>C as a break key.  Finally, if the connection is disconnected (either by the user or because of a timeout), the port will be logged off.

The complete format of a TELNET LISTEN rule is divided into a number of fields seperated by spaces.

ip_addr:tcp_port - The IP address and TCP port number that is opened for incoming connections.  It is acceptible to have more than one rule for a single IP address and TCP port combination.  You can use the * character to specify the first configured IP address.

remote_addr remote_net_mask - These parameters specify whether this rule will apply for a particular connection.  If the actual remote IP address "ANDed" with the remote_net_mask equals the remote_addr, then this rule is processed.  If the actual remote IP address "ANDed" with the remote_net_mask does not equal the remote_addr, then this rule is skipped and the next rule is examined for a match.  More information on IP address matching is included later in this document.

pick_ports - This is a list of Pick ports that are to be used for this connection.  You can specify either a single port, or multiple ports as a combination of single ports or port ranges.  In either case, the list will be processed in order until an available port is found. If no ports are available, then the user will receive an error message and the connection will be terminated.

timeout - This is the amount of time (in hh:mm:ss format) that an inactive connection will be maintained.  An inactive connection is defined as one that has no inbound or outbound traffic.  If you specify 00:00:00, then the connectin will not timeout.  The maximum timeout length is 8 hours.

break_char - This is the decimal ascii value of a control character that will break the Pick port.  The inbound TELNET services in PicLan-IP will respond to the TELNET "interrupt" command, but this control allows you to set a break key for use with TELNET terminal emulators that do not generate an interrupt command.  If you specify 0, then a break character will not be set.

options - Options are used to specify how the ports will be logged on and off when a connection is established or broken.  The two available options are:

IP Address Matching Rules

When a user connects to PicLan-IP inbound TELNET services, the connection has a remote address.  This is the IP address that the user running a TELNET terminal emulator has assigned to his computer system (it can also be the IP address of a sockets proxy server, Network Address Translation [NAT] server, or TELNET terminal server).  PicLan-IP uses this address to decide which Pick port (if any) to make a TELNET connection with.

In understanding whether a particular remote address matches the TELNET LISTEN rule's remote_address remote_net_mask pair, you need to understand how IP addresses and network sub-net masks are manipulated.

IP Address Math

IP addresses are actually four byte binary numbers that range from 0 to 4294967295 (00000000 to FFFFFFFF in hex).  As a shorthand, these addresses are usually expressed as a series of four decimal numbers seperated by periods (or dots).  This allows for IP addresses from 0.0.0.0 to 255.255.255.255.

Because of how IP addresses are assigned and how IP network traffic is routed, an IP address is usually considered as a network address and a local address.  The network address is the left-part of the IP address and the local address is the right-part of the IP address. It is the sub-net mask that defines the division between the network address and the local address.

Class A, B, and C sub-nets
Originally, there were three types of sub-nets (based on the number of addresses within each type).  There are class A, class B, and class C.

Class A - A class A network uses one byte to specify the network address and three bytes to specify the local address.  Class A networks can have at most 16777216 IP addresses.

Class B - A class B network uses two bytes to specify the network address and two bytes to specify the local address.  Class B networks can have at most 65536 IP addresses.

Class C - A class C network uses three bytes to specify the network address and two bytes to specify the local address.  Class C networks can have at most 256 IP addresses.

The manner that a network address is specified is through the use of the sub-net mask.  This is a number that is formatted in the same manner as an IP address.  By using the sub-net mask, a computer system can determine which part of an IP address is the network address and which part is the local address.  Because a class A network uses the left byte of the IP address as the network address and the right three bytes as the local address, the sub-net mask is 255.0.0.0.  Class B networks have sub-net masks of 255.255.0.0 and class C networks have sub-net masks of 255.255.255.0.

How sub-net masks are evaluated
Sub-net masks are used to determine the network address from a supplied IP address.  This is done by performing a bit-wise and operation between the IP address and the sub-net mask.  For a class A network, the 255.0.0.0 sub-net mask indicates that 255 is to be anded with the left byte of the IP address and 0 is to be anded with the right three bytes of the IP address to form a network address.  255 is a binary number with 8 bits set to 1, so 255 anded with any number will equal that number.  0 is a binary number with 8 bits set to 0, so 0 anded with any number will always equal zero.  This means that a class A IP address 24.18.32.7 has a network address of 24.0.0.0 (the result of anding 24.18.32.7 with 255.0.0.0).

Similarily, class B networks use a sub-net mask of 255.255.0.0 and class C networks use a sub-net mask of 255.255.255.0.

Other sub-net types
Because the internet is rapidly running out of addresses, network sizes have been created that lie between and below the size of the existing class A, B, and C networks originally envisioned.  Instead of considering the number of bytes in the network address, these new schemes specify the number of bits in the network address.  This means that a class A network is also called a /8 network.  A class B network is a /16 and a class C is a /24 network.  The advantage of this is that if only 6 addresses are needed, you can use a /29 network which has a sub-net mask of 255.255.255.248.

How PicLan-IP evaluates network addresses

The PicLan-IP TELNET server works by taking the inbound IP address and anding it with the remote_net_mask.  If the result equals the the remote_addr then the specified rule will be used. If the result does not match, then the next rule will be evaluated.

Inbound TELNET Address Examples

Allow all users

If you wish to allow all users, you would specify a remote_addr of 0.0.0.0 and a remote_net_mask of 0.0.0.0.  When anded with 0.0.0.0, any IP address will always match with 0.0.0.0.  This configuration will allow any users to connect with the TELNET server.

Allow only a single user

If you wish to only allow a single IP address, you would specify a remote_addr that matches the user's IP address and a remote_net_mask of 255.255.255.255. By specifying a network mask of 255.255.255.255, all bits in the IP address are evaluated for a match.  This configuration is used to allow only a specify IP address to connect.

Allowing a sub-net

You can specify other sub-net masks to allow any user on a particular network to access the Pick host over telnet.  You could use this to allow connections from local PCs, but exclude connections from the internet.

Handling dynamic IP addresses

If you have users that dial into an ISP (Internet Service Provider), they will probably get what is called a dynamic IP address.  This means that the IP address that they are assigned may change each time they connect with their ISP.  In this case, it is impossible to limit connections to a single IP address because that address will change every time the user connects with their ISP.  You should realize that the IP address that they are assigned will always be a part of an IP sub-net, so you can limit access to the sub-net.

Implementing Inbound TELNET Security

This discussion is primarily intended for users who are connecting their systems to the Internet.  Security on local networks is several orders of magnitude easier.

The PicLan-IP TELNET server allows you to control who makes connections, and to which ports, based on the remote user's IP address.  If you are concerned about security, you should consider the following steps:

None of the techniques are fool-proof, but used intelligently, they can limit your exposure.

Also, you should keep in mind that TELNET is an "in the clear", non-encrypted protocol and any users with packet-sniffing equipment and access to the network path can watch everything that a user types (you should note that this typically must be done by an ISP [or by someone who has hacked into an ISPs system]).

Configuring TELNET Option Strings

The PicLan-IP TELNET server runs using minimal TELNET option strings. These option strings are encoded in hex in the PLIP.CTRL CONFIG item under the label:
TELNET OPT STR=
This string of characters will be send to TELNET clients upon connection to setup elements such as echo, line mode, and other required options. You should consult RFC 854 (and subsequent revisions) for more information.

If you have difficult with specific TELNET client applications, setting up additional option strings can help.  If you are unfamiliar with TELNET operation and programming, you can contact Modular Software technical support for additional help.

Modular Software - Home PicLan-IP - Home

© Copyright 1996-1998  Modular Software Corporation.All rights Reserved.