Sample filter statements

The purpose of this sample filter statement is to demonstrate the proper syntax for creating filter rules on your iSeries™ server and to show you how the various statements work together in a file.

Use them as examples only.

A common filter statement might look like this:

FILTER SET TestFilter ACTION = PERMIT DIRECTION = INBOUND SRCADDR = 162.56.39.100 DSTADDR = * PROTOCOL = * DSTPORT >= 1024 SRCPORT = 80

This filter will permit all traffic entering the interface (INBOUND) that has a source address of 162.56.39.100, a source port of 80, and destination port greater or equal to 1024.

Because IP traffic typically flows both INBOUND and OUTBOUND over a connection, it is common to have two related statements to permit traffic in both directions. These two statements are called mirrors of each other and can be seen in the example that follows:

FILTER SET TestFilter ACTION = PERMIT DIRECTION = INBOUND SRCADDR = 162.56.39.100 DSTADDR = * PROTOCOL = * DSTPORT >= 1024 SRCPORT = 80 FILTER SET TestFilter ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR = * DSTADDR = 162.56.39.100 PROTOCOL = * DSTPORT = 80 SRCPORT >= 1024

You might notice that both of these filter statements have the same set name, TestFilter. All filters with the same set name are considered to be in the same set. You can have any number of filters in a set. When you activate filters within a given set, they are processed in the order in which they appear in the file.

A filter statement alone will not have any effect when you activate rules. You must apply the filter set to a filter interface. An example of applying the set, TestFilter, to an Ethernet line interface is as follows:

FILTER_INTERFACE LINE = ETH237 SET = TestFilter

After you activate these rules, only IP traffic permitted by the TestFilter set will be permitted over ETH237.

Note: The system adds a default DENY ALL TRAFFIC rule to the end of any activated filters on an interface. So, when you apply rules to the interface through which you are configuring the iSeries server , it is very important that you permit your own workstation or that of anyone else who might be configuring the iSeries server. Failure to do so will result in a loss of communication with the iSeries server.

You can also apply multiple sets to a filter interface statement such as in the following example:

FILTER_INTERFACE LINE = ETH237 SET = set1, set2, set3

These sets will be processed in the same order as you list them in the filter interface statement (set1, set2, and finally, set3). The filters within each set are processed in the order in which they appear in the file. This means that the ordering of filters between different sets is irrelevant. Filter order only matters when filters are in the same set.