This topic provides troubleshooting advice for some common packet
rules problems.
- iSeries™ communications
trace capability allows you to see all datagram traffic for a specified
interface. Use the Start Communications Trace (STRCMNTRC) and Print
Communications Trace (PRTCMNTRC) commands to collect and print the
information.
- NAT and IP filtering rule order determines how your rules are processed.
They are processed in the order which they appear in the file. If the order
is not correct, the packets will not be processed as you intend. This will
leave your system vulnerable to attack. Place your filter set names in the
FILTER_INTERFACE statement in the exact same order in which the sets are physically
defined in the file.
See the Create
IP filter rules topic for more information about writing syntactically
correct filter rules. Remember the process shown in the following table.
| Inbound traffic process |
Outbound traffic process |
|---|
| 1. NAT rules |
1. IP filter rules |
| 2. IP filter rules |
2. NAT rules |
- Removing all rules is the best way to reset your system and clear
out errors. On the iSeries, issue the following command: RMVTCPTBL
(Remove TCP/IP Table). If you lock yourself out of the iSeries Navigator
application, you can also use this command to go back and repair any rules.
Note: The Remove TCP/IP Table command also starts the
VPN servers— only if the VPN servers (IKE and ConMgr) were running before.
- Allowing IP datagram forwarding in your TCP/IP configuration on
the iSeries server
is essential if you are using NAT. Use the Change TCP/IP Attributes
(CHGTCPA) command to verify that IP datagram forwarding is set to
YES.
- Verifying default return routes ensures that the address that you
map to or hide behind is correct. This address must be routable on the return
route back to the iSeries server and pass through the correct line
to be untranslated by NAT.
Note: If your iSeries server has more than one network,
or line, connected to it, you should be especially careful about routing inbound
traffic. Inbound traffic is handled on any line that it enters on, which might
not be the correct line waiting to untranslate it.
- Viewing error and warning messages in the EXPANDED.OUT file
to ensure the rules are ordered as you intend. When you verify and activate
a set of filters, these filters are merged with any iSeries Navigator-generated rules. The
combination produces the merged rules in a new file called EXPANDED.OUT,
which is placed in the same directory that contains your rules (typically
/QIBM). Warning and error messages refer to this file. To view this file,
complete the following steps to open it from the Packet Rules Editor.
- Access the Packet Rules Editor in iSeries Navigator.
- From the File menu, select Open.
- Go to the directory, QIBM/UserData/OS400/TCPIP/PacketRules/ or
to the directory where you have saved your packet rules if it's different
than the default.
- From the Open file window, select EXPANDED.OUT
file. The EXPANDED.OUT file should appear.
- Select this file and click Open.
The EXPANDED.OUT file is for your information only. You cannot edit
it.