135 lines
6.8 KiB
HTML
135 lines
6.8 KiB
HTML
|
<?xml version="1.0" encoding="utf-8"?>
|
||
|
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
|
||
|
|
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
|
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
|
||
|
|
<head>
|
||
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
|
<meta name="dc.language" scheme="rfc1766" content="en-us" />
|
||
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
|
<!-- US Government Users Restricted Rights -->
|
||
|
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
|
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
|
||
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
|
||
|
|
<meta name="security" content="public" />
|
||
|
|
<meta name="Robots" content="index,follow"/>
|
||
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
|
<title>IP Packet Filter Firewall</title>
|
||
|
|
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
|
||
|
|
<link rel="stylesheet" type="text/css" href="ic.css" />
|
||
|
|
</head>
|
||
|
|
<body>
|
||
|
|
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
|
||
|
|
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
|
||
|
|
|
||
|
|
|
||
|
|
<a name="packetff"></a>
|
||
|
|
<h3 id="packetff">IP Packet Filter Firewall</h3>
|
||
|
|
<p>An IP packet filter firewall allows you to create a set of rules that either
|
||
|
|
discard or accept traffic over a network connection. The firewall itself does
|
||
|
|
not affect this traffic in any way. Because a packet filter can only discard
|
||
|
|
traffic that is sent to it, the device with the packet filter must either
|
||
|
|
perform IP routing or be the destination for the traffic.</p>
|
||
|
|
<p>A packet filter has a set of rules with accept or deny actions. When the
|
||
|
|
packet filter receives a packet of information, the filter compares the packet
|
||
|
|
to your pre-configured rule set. At the first match, the packet filter either
|
||
|
|
accepts or denies the packet of information. Most packet filters have an implicit
|
||
|
|
deny all rule at the bottom of the rules file.</p>
|
||
|
|
<p>Packet filters usually permit or deny network traffic based on:</p>
|
||
|
|
<ul>
|
||
|
|
<li>Source and destination IP addresses</li>
|
||
|
|
<li>Protocol, such as TCP, UDP, or ICMP</li>
|
||
|
|
<li>Source and destination ports and ICMP types and codes</li>
|
||
|
|
<li>Flags in the TCP header, such as whether the packet is a connect request</li>
|
||
|
|
<li>Direction (inbound or outbound)</li>
|
||
|
|
<li>Which physical interface the packet is traversing</li></ul>
|
||
|
|
<p>All packet filters have a common problem: the trust is based on IP addresses.
|
||
|
|
Although this security type is not sufficient for an entire network, this
|
||
|
|
type of security is acceptable on a component level.</p>
|
||
|
|
<p>Most IP packet filters are stateless, which means they do not remember
|
||
|
|
anything about the packets they previously process. A packet filter with state
|
||
|
|
can keep some information about previous traffic, which gives you the ability
|
||
|
|
to configure that only replies to requests from the internal network are allowed
|
||
|
|
from the Internet. Stateless packet filters are vulnerable to spoofing since
|
||
|
|
the source IP address and ACK bit in the packet's header can be easily forged
|
||
|
|
by attackers.</p>
|
||
|
|
<p>i5/OS™ lets you specify packet filter rules on interfaces
|
||
|
|
and remote access service profiles. See the following topics for more details: <a href="../rzajb/rzajbrzajb8a0creatingsd.htm">Create IP filter rules</a> and <a href="../rzaiy/rzaiygetstart.htm">Remote Access Services: PPP connections</a>. If you are using either an external
|
||
|
|
packet filter firewall or packet filter rules on the i5/OS and your Universal Connection data
|
||
|
|
passes through these filters, you must change the filter rules to allow the
|
||
|
|
connection to the IBM® VPN Gateway as follows:</p>
|
||
|
|
<a name="wq3"></a>
|
||
|
|
<table id="wq3" width="100%" summary="" border="1" frame="border" rules="all">
|
||
|
|
<thead valign="bottom">
|
||
|
|
<tr>
|
||
|
|
<th id="wq4" width="39%" align="left" valign="top">IP filter rules</th>
|
||
|
|
<th id="wq5" width="60%" align="left" valign="top">IP filter values</th>
|
||
|
|
</tr>
|
||
|
|
</thead>
|
||
|
|
<tbody valign="top">
|
||
|
|
<tr>
|
||
|
|
<td headers="wq4">UDP inbound traffic filter rule</td>
|
||
|
|
<td headers="wq5">Allow port 4500 for VPN gateway addresses</td>
|
||
|
|
</tr>
|
||
|
|
<tr>
|
||
|
|
<td headers="wq4">UDP inbound traffic filter rule</td>
|
||
|
|
<td headers="wq5">Allow port 500 for VPN gateway addresses</td>
|
||
|
|
</tr>
|
||
|
|
<tr>
|
||
|
|
<td headers="wq4">UDP outbound traffic filter rule</td>
|
||
|
|
<td headers="wq5">Allow port 4500 for VPN gateway IP addresses</td>
|
||
|
|
</tr>
|
||
|
|
<tr>
|
||
|
|
<td headers="wq4">UDP outbound traffic filter rule</td>
|
||
|
|
<td headers="wq5">Allow port 500 for VPN gateway IP addresses</td>
|
||
|
|
</tr>
|
||
|
|
<tr>
|
||
|
|
<td headers="wq4">ESP inbound traffic filter rule</td>
|
||
|
|
<td headers="wq5">Allow ESP protocol (X'32') for VPN gateway IP addresses</td>
|
||
|
|
</tr>
|
||
|
|
<tr>
|
||
|
|
<td headers="wq4">ESP outbound traffic filter rule</td>
|
||
|
|
<td headers="wq5">Allow ESP protocol (X'32') for VPN gateway IP addresses</td>
|
||
|
|
</tr>
|
||
|
|
</tbody>
|
||
|
|
</table>
|
||
|
|
<p>For those Universal Connection applications that use HTTP
|
||
|
|
and HTTPs for a transport, you must change the filter rules to allow connections
|
||
|
|
to the IBM service destinations as follows:</p>
|
||
|
|
<a name="wq6"></a>
|
||
|
|
<table id="wq6" width="100%" summary="" border="1" frame="border" rules="all">
|
||
|
|
<thead valign="bottom">
|
||
|
|
<tr>
|
||
|
|
<th id="wq7" width="39%" align="left" valign="top">IP filter rules</th>
|
||
|
|
<th id="wq8" width="60%" align="left" valign="top">IP filter values</th>
|
||
|
|
</tr>
|
||
|
|
</thead>
|
||
|
|
<tbody valign="top">
|
||
|
|
<tr>
|
||
|
|
<td headers="wq7">TCP inbound traffic filter rule</td>
|
||
|
|
<td headers="wq8">Allow port 80 for all service destination addresses</td>
|
||
|
|
</tr>
|
||
|
|
<tr>
|
||
|
|
<td headers="wq7">TCP inbound traffic filter rule</td>
|
||
|
|
<td headers="wq8">Allow port 443 for all service destination addresses</td>
|
||
|
|
</tr>
|
||
|
|
<tr>
|
||
|
|
<td headers="wq7">TCP outbound traffic filter rule</td>
|
||
|
|
<td headers="wq8">Allow port 80 for all service destination addresses</td>
|
||
|
|
</tr>
|
||
|
|
<tr>
|
||
|
|
<td headers="wq7">TCP outbound traffic filter rule</td>
|
||
|
|
<td headers="wq8">Allow port 443 for all service destination addresses</td>
|
||
|
|
</tr>
|
||
|
|
</tbody>
|
||
|
|
</table>
|
||
|
|
<p>Part of changing the filter rules involves specifying an actual IBM VPN Gateway
|
||
|
|
address. You can determine these addresses as described in <a href="detvpnaddy.htm#detvpnaddy">Determine the IBM VPN Gateway addresses</a>.</p>
|
||
|
|
<p>In addition, for HTTP and HTTPs traffic, part of changing the
|
||
|
|
filter rules may involve specifying actual service destination addresses.
|
||
|
|
You can determine these addresses as described in <a href="detsdaddy.htm#detsdaddy">Determine the IBM Service Destination addresses</a>.</p>
|
||
|
|
<p>For more information, see the <a href="../rzajb/rzajbrzajb1whatis.htm">Packet rules concepts</a> topic.</p>
|
||
|
|
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
|
||
|
|
</body>
|
||
|
|
</html>
|