ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajb_5.4.0.1/rzajbrzajb8a0creatingsd.htm

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Create IP filter rules" />
<meta name="abstract" content="When you create a filter, you specify a rule that governs the IP traffic flow in and out of your system." />
<meta name="description" content="When you create a filter, you specify a rule that governs the IP traffic flow in and out of your system." />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajbx1creatingnewrulessd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb8bcreatingnatrulessd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb82filterinterfacessd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb4natsd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajbttrouble.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajb8a0-creating_sd" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Create IP filter rules</title>
</head>
<body id="rzajb8a0-creating_sd"><a name="rzajb8a0-creating_sd"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Create IP filter rules</h1>
<div><p>When you create a filter, you specify a rule that governs the IP
traffic flow in and out of your system.</p>
<div class="section"><div class="p">The rules you define specify whether the system should permit
or deny packets that attempt to access your system. The system directs IP
packets based on the type of information in the IP packet headers. It also
directs the IP packet to the action that you have specified the system to
apply. The system discards any packets that do not match a specific rule.
This automatic discard rule is called the <em>default deny rule</em>. Located
at the end of the file, the default deny rule is automatically activated any
time a packet does not match the criteria in any of the preceding rules. You
must have at least one filter rule activated for the default deny rule to
be active. <div class="important"><span class="importanttitle">Important:</span> When you apply rules to an interface through
which you are configuring the iSeries™ server, it is very important
that you permit your own workstation or that of anyone else who might be configuring
the iSeries server.
Failure to do so will result in a loss of communication with the iSeries server.
If this happens, you will need to log on to the iSeries server using an interface that
still has connectivity, such as the operators console. Use the RMVTCPTBL command
to remove all filters on the system.</div>
</div>
</div>
<div class="section"><p>Before you create your filter rules, you should determine whether
you need to use network address translation (NAT).  If you use NAT rules,
you  <em>must</em> define addresses and services. NAT is the only function that
requires a defined address, but you can use it for other functions as well.
If you define addresses and services, you can reduce the number of rules that
you must create as well as minimizing the possibility of typographical errors.</p>
</div>
<div class="section"><div class="p">Here are some other ways you can use to minimize error and maximize
efficiency when creating filter rules: <ul><li>Define one filter rule at a time. For example, create all the permits
for Telnet at the same time. This way you can group associate the rules whenever
you refer to them.</li>
<li>Filter rules are processed in the order that they appear in the file.
Be sure to order the rules the way you intend them to be applied when you
create them. If the order is incorrect, your system is vulnerable to attack
because the packets will not be processed as you intend them to be. To make
things easier, consider the following optional actions:  <ol><li>Place your filter set names in the FILTER_INTERFACE statement in the exact
same order in which the sets are physically defined in the file.</li>
<li>Place all filter rules in one set to avoid problems with set order.</li>
</ol>
</li>
<li>Verify the syntax of each rule as you go along. This is easier and faster
than debugging them all at once.</li>
<li>Create set names for groups of files that are logically associated with
each other. This is important because only one rule file can be active at
a time. See the following example.</li>
<li>Only write filter rules for the datagrams you want to permit. Everything
else will be discarded by the automatic deny rule.</li>
<li>Write rules for high traffic volume first.</li>
</ul>
</div>
</div>
<div class="section"><h4 class="sectiontitle">Example:</h4><p>Look at the <em>Create set names</em> tip
above. You might want to allow Telnet access to a number of internal users,
but not to all. To manage these rules easier, you can assign each of them
the set name <samp class="codeph">TelnetOK</samp>. A second criteria can allow Telnet
through a specific interface and block Telnet traffic from all others. In
this case, you need to create a second set of rules that block Telnet access
entirely. You can assign these rules the set name <samp class="codeph">TelnetNever</samp>.
By creating set names, you make it easier to distinguish the purpose of the
rule. It is also easier to determine which interfaces you intend to apply
to particular sets. Use all of the tips above to ease the process of creating
filters.</p>
</div>
<div class="section"><p>For instructions on how to create IP filter rules, use the Packet
Rules Editor online help.</p>
</div>
<div class="section"><h4 class="sectiontitle">Next topic</h4><p>After you create your filters, you might
want to <a href="rzajbrzajb88includessd.htm">Include files in packet rules</a> in the filter statement.
If not, the next step is to <a href="rzajbrzajb82filterinterfacessd.htm">Define IP filter interfaces</a> to
which the rules apply.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajbrzajbx1creatingnewrulessd.htm" title="Read the checklist that contains an overview of the tasks you must complete to ensure that your rules work properly when activated.">Configure packet rules</a></div>
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzajbrzajb8bcreatingnatrulessd.htm" title="To use network address translation (NAT), you must define nicknames for the IP addresses you intend to use.">Create NAT rules</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzajbrzajb82filterinterfacessd.htm" title="Define filter interfaces to establish the filter rules that you want the system to apply to each interface.">Define IP filter interfaces</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajbrzajb4natsd.htm" title="Network address translation (NAT) allows you to access the Internet safely without having to change your private network IP addresses.">Network address translation (NAT)</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzajbrzajbttrouble.htm" title="This topic provides troubleshooting advice for some common packet rules problems.">Troubleshoot packet rules</a></div>
</div>
</div>
</body>
</html>
Add readme and dist folders 2024-04-02 14:02:31 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<!DOCTYPE html`
			`PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">`
			`<html lang="en-us" xml:lang="en-us">`
			`<head>`
			`<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />`
			`<meta name="security" content="public" />`
			`<meta name="Robots" content="index,follow" />`
			`<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />`
			`<meta name="DC.Type" content="reference" />`
			`<meta name="DC.Title" content="Create IP filter rules" />`
			`<meta name="abstract" content="When you create a filter, you specify a rule that governs the IP traffic flow in and out of your system." />`
			`<meta name="description" content="When you create a filter, you specify a rule that governs the IP traffic flow in and out of your system." />`
			`<meta name="DC.Relation" scheme="URI" content="rzajbrzajbx1creatingnewrulessd.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzajbrzajb8bcreatingnatrulessd.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzajbrzajb82filterinterfacessd.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzajbrzajb4natsd.htm" />`
			`<meta name="DC.Relation" scheme="URI" content="rzajbrzajbttrouble.htm" />`
			`<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />`
			`<meta name="DC.Format" content="XHTML" />`
			`<meta name="DC.Identifier" content="rzajb8a0-creating_sd" />`
			`<meta name="DC.Language" content="en-us" />`
			`<!-- All rights reserved. Licensed Materials Property of IBM -->`
			`<!-- US Government Users Restricted Rights -->`
			`<!-- Use, duplication or disclosure restricted by -->`
			`<!-- GSA ADP Schedule Contract with IBM Corp. -->`
			`<link rel="stylesheet" type="text/css" href="./ibmdita.css" />`
			`<link rel="stylesheet" type="text/css" href="./ic.css" />`
			`<title>Create IP filter rules</title>`
			`</head>`
			`<body id="rzajb8a0-creating_sd"><a name="rzajb8a0-creating_sd"><!-- --></a>`
			`<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>`
			`<h1 class="topictitle1">Create IP filter rules</h1>`
			`<div><p>When you create a filter, you specify a rule that governs the IP`
			`traffic flow in and out of your system.</p>`
			`<div class="section"><div class="p">The rules you define specify whether the system should permit`
			`or deny packets that attempt to access your system. The system directs IP`
			`packets based on the type of information in the IP packet headers. It also`
			`directs the IP packet to the action that you have specified the system to`
			`apply. The system discards any packets that do not match a specific rule.`
			`This automatic discard rule is called the <em>default deny rule</em>. Located`
			`at the end of the file, the default deny rule is automatically activated any`
			`time a packet does not match the criteria in any of the preceding rules. You`
			`must have at least one filter rule activated for the default deny rule to`
			`be active. <div class="important"><span class="importanttitle">Important:</span> When you apply rules to an interface through`
			`which you are configuring the iSeries™ server, it is very important`
			`that you permit your own workstation or that of anyone else who might be configuring`
			`the iSeries server.`
			`Failure to do so will result in a loss of communication with the iSeries server.`
			`If this happens, you will need to log on to the iSeries server using an interface that`
			`still has connectivity, such as the operators console. Use the RMVTCPTBL command`
			`to remove all filters on the system.</div>`
			`</div>`
			`</div>`
			`<div class="section"><p>Before you create your filter rules, you should determine whether`
			`you need to use network address translation (NAT). If you use NAT rules,`
			`you <em>must</em> define addresses and services. NAT is the only function that`
			`requires a defined address, but you can use it for other functions as well.`
			`If you define addresses and services, you can reduce the number of rules that`
			`you must create as well as minimizing the possibility of typographical errors.</p>`
			`</div>`
			`<div class="section"><div class="p">Here are some other ways you can use to minimize error and maximize`
			`efficiency when creating filter rules: <ul><li>Define one filter rule at a time. For example, create all the permits`
			`for Telnet at the same time. This way you can group associate the rules whenever`
			`you refer to them.</li>`
			`<li>Filter rules are processed in the order that they appear in the file.`
			`Be sure to order the rules the way you intend them to be applied when you`
			`create them. If the order is incorrect, your system is vulnerable to attack`
			`because the packets will not be processed as you intend them to be. To make`
			`things easier, consider the following optional actions: <ol><li>Place your filter set names in the FILTER_INTERFACE statement in the exact`
			`same order in which the sets are physically defined in the file.</li>`
			`<li>Place all filter rules in one set to avoid problems with set order.</li>`
			`</ol>`
			`</li>`
			`<li>Verify the syntax of each rule as you go along. This is easier and faster`
			`than debugging them all at once.</li>`
			`<li>Create set names for groups of files that are logically associated with`
			`each other. This is important because only one rule file can be active at`
			`a time. See the following example.</li>`
			`<li>Only write filter rules for the datagrams you want to permit. Everything`
			`else will be discarded by the automatic deny rule.</li>`
			`<li>Write rules for high traffic volume first.</li>`
			`</ul>`
			`</div>`
			`</div>`
			`<div class="section"><h4 class="sectiontitle">Example:</h4><p>Look at the <em>Create set names</em> tip`
			`above. You might want to allow Telnet access to a number of internal users,`
			`but not to all. To manage these rules easier, you can assign each of them`
			`the set name <samp class="codeph">TelnetOK</samp>. A second criteria can allow Telnet`
			`through a specific interface and block Telnet traffic from all others. In`
			`this case, you need to create a second set of rules that block Telnet access`
			`entirely. You can assign these rules the set name <samp class="codeph">TelnetNever</samp>.`
			`By creating set names, you make it easier to distinguish the purpose of the`
			`rule. It is also easier to determine which interfaces you intend to apply`
			`to particular sets. Use all of the tips above to ease the process of creating`
			`filters.</p>`
			`</div>`
			`<div class="section"><p>For instructions on how to create IP filter rules, use the Packet`
			`Rules Editor online help.</p>`
			`</div>`
			`<div class="section"><h4 class="sectiontitle">Next topic</h4><p>After you create your filters, you might`
			`want to <a href="rzajbrzajb88includessd.htm">Include files in packet rules</a> in the filter statement.`
			`If not, the next step is to <a href="rzajbrzajb82filterinterfacessd.htm">Define IP filter interfaces</a> to`
			`which the rules apply.</p>`
			`</div>`
			`</div>`
			`<div>`
			`<div class="familylinks">`
			`<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajbrzajbx1creatingnewrulessd.htm" title="Read the checklist that contains an overview of the tasks you must complete to ensure that your rules work properly when activated.">Configure packet rules</a></div>`
			`<div class="previouslink"><strong>Previous topic:</strong> <a href="rzajbrzajb8bcreatingnatrulessd.htm" title="To use network address translation (NAT), you must define nicknames for the IP addresses you intend to use.">Create NAT rules</a></div>`
			`<div class="nextlink"><strong>Next topic:</strong> <a href="rzajbrzajb82filterinterfacessd.htm" title="Define filter interfaces to establish the filter rules that you want the system to apply to each interface.">Define IP filter interfaces</a></div>`
			`</div>`
			`<div class="relconcepts"><strong>Related concepts</strong><br />`
			`<div><a href="rzajbrzajb4natsd.htm" title="Network address translation (NAT) allows you to access the Internet safely without having to change your private network IP addresses.">Network address translation (NAT)</a></div>`
			`</div>`
			`<div class="relref"><strong>Related reference</strong><br />`
			`<div><a href="rzajbrzajbttrouble.htm" title="This topic provides troubleshooting advice for some common packet rules problems.">Troubleshoot packet rules</a></div>`
			`</div>`
			`</div>`
			`</body>`
			`</html>`