I am getting the following error for (note the a and b are placeholders for actual numbers):

$TCPIP SET SERVICE SSH /ACCEPT=NETWORK=(a.b.241.0:255.255.255.0,a.b.242.0:255.255.255.0,a.b.243.0:255.255.255.0)
%TCPIP-E-SERVERROR, cannot process service request
-TCPIP-E-INVQUAL, invalid qualifier value for /ACCEPT.NETWORKS
-SYSTEM-F-TOOMUCHDATA, too much optional or interrupt data specified

The site has 7 full IP ranges to allow (this is just 3). How would you enter them?

The limit is 16 which I took to mean 16 network specifications not 16 IPs?

Any help would be appreciated.

TIA,

John Tran

> The site has 7 full IP ranges to allow (this is just 3). How would you
> enter them?

Define "full IP range". But first:

tcpip show version

tcpip show service SSH /full

How _I_ would specify them would depend on what they actually are.
For example, "a.b.242.0:255.255.255.0,a.b.243.0:255.255.255.0" might
have been reduced to "a.b.242.0:255.255.254.0". But, before I did
anything, I'd clean out what's there now:

set service SSH /accept = nonetworks = *

My accept/reject script files include helpful(-to-me) comments like
these:

! Popular netmasks:
! ! 11111111 /8 = 255 11111110 /7 = 254 11111100 /6 = 252 11111000 /5 = 248
! ! 11110000 /4 = 240 11100000 /3 = 224 11000000 /2 = 192 10000000 /1 = 128

> The limit is 16 which I took to mean 16 network specifications not 16
> IPs?

Define "IPs".

https://en.wikipedia.org/wiki/Internet_Protocol
https://en.wikipedia.org/wiki/IP_address

I'd expect it to take 16 subnet specifications, but they do
accumulate.

I generally do /reject, not /accept, but my scripts all start with
commands like:

set service XXXX /reject = nohost = *
set service XXXX /reject = nonetworks = *

and then build upon the resulting clean slates. I don't hit any
unexpected limits. (But higher limits would be helpful to me.)

On Thursday, November 18, 2021 at 2:13:31 PM UTC-4, Steven Schweda wrote:
> > The site has 7 full IP ranges to allow (this is just 3). How would you
> > enter them?
> Define "full IP range". But first:
>
> tcpip show version
>
> tcpip show service SSH /full
>
> How _I_ would specify them would depend on what they actually are.
> For example, "a.b.242.0:255.255.255.0,a.b.243.0:255.255.255.0" might
> have been reduced to "a.b.242.0:255.255.254.0". But, before I did
> anything, I'd clean out what's there now:
>
> set service SSH /accept = nonetworks = *
>
> My accept/reject script files include helpful(-to-me) comments like
> these:
>
> ! Popular netmasks:
> !
> ! 11111111 /8 = 255 11111110 /7 = 254 11111100 /6 = 252 11111000 /5 = 248
> !
> ! 11110000 /4 = 240 11100000 /3 = 224 11000000 /2 = 192 10000000 /1 = 128
> > The limit is 16 which I took to mean 16 network specifications not 16
> > IPs?
> Define "IPs".
>
> https://en.wikipedia.org/wiki/Internet_Protocol
> https://en.wikipedia.org/wiki/IP_address
>
> I'd expect it to take 16 subnet specifications, but they do
> accumulate.
>
> I generally do /reject, not /accept, but my scripts all start with
> commands like:
>
> set service XXXX /reject = nohost = *
> set service XXXX /reject = nonetworks = *
>
> and then build upon the resulting clean slates. I don't hit any
> unexpected limits. (But higher limits would be helpful to me.)

Thanks for your reply. By full IP range, I meant a.b.1.1 through a.b.255.255. IPs is just a single IP regardless of subnet mask.

I did the TCPIP SHOW SERVICE SERVICE /FULL and there were 13 other settings beforehand. D'oh. I was told there were none. So I mistook that it meant 16 individual IPs and not IP ranges or networks.

Thanks for your help!

On 2021-11-18 14:00:46 +0000, Dymaxion Development said:

> I am getting the following error for (note the a and b are placeholders
> for actual numbers):
>
> $TCPIP SET SERVICE SSH
> /ACCEPT=NETWORK=(a.b.241.0:255.255.255.0,a.b.242.0:255.255.255.0,a.b.243.0:255.255.255.0)
>
> %TCPIP-E-SERVERROR, cannot process service request
> -TCPIP-E-INVQUAL, invalid qualifier value for /ACCEPT.NETWORKS
> -SYSTEM-F-TOOMUCHDATA, too much optional or interrupt data specified

Somewhat odd that CIDR syntax (e.g. 192.0.2.0/24, 198.51.100.0/28) was
never added here, as an aside.

CIDR syntax was added in various other places within TCP/IP Services,
most notably in the config tool.

--
Pure Personal Opinion | HoffmanLabs LLC

> [...] By full IP range, I meant a.b.1.1 through a.b.255.255. [...]

Why ".1.1", and not ".0.0"? "a.b.0.0:255.255.0.0" would cover what
_I_'d call the whole "a.b.*.*" range.

> [...] IPs is just a single IP regardless of subnet mask.

I'll try again. Define "IP".

https://en.wikipedia.org/wiki/Internet_Protocol
https://en.wikipedia.org/wiki/IP_address

If you _mean_ "IP _address_", then your meaning would be clearer if you
_said_ "IP address".

> [...] I was told [...]

Trust no one, I always say. "SHOW" is your friend.

> Somewhat odd that CIDR syntax (e.g. 192.0.2.0/24, 198.51.100.0/28) was
> never added here, as an aside.

Odd, and annoying. I'd be happy to ditch my handy mask-guide
comments.

Another related annoyance is that where that notation _is_ accepted
(like, say, SYS$SPECIFIC:[TCPIP$SMTP]TCPIP$SMTP.CONF), the whole address
must be specified, including the insignificant part. I've repeatedly
gotten bad data using copy+paste (carelessly) from whois.ripe.net or
whois.lacnic.net, which publish values like "186.188.128/17" instead of
"186.188.128.0/17", where the last ".0" conveys no useful information.
As an aside.