122 lines
8.2 KiB
HTML
122 lines
8.2 KiB
HTML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE html
|
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html lang="en-us" xml:lang="en-us">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|
<meta name="security" content="public" />
|
|
<meta name="Robots" content="index,follow" />
|
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|
<meta name="DC.Type" content="reference" />
|
|
<meta name="DC.Title" content="Create IP filter rules" />
|
|
<meta name="abstract" content="When you create a filter, you specify a rule that governs the IP traffic flow in and out of your system." />
|
|
<meta name="description" content="When you create a filter, you specify a rule that governs the IP traffic flow in and out of your system." />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajbrzajbx1creatingnewrulessd.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb8bcreatingnatrulessd.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb82filterinterfacessd.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb4natsd.htm" />
|
|
<meta name="DC.Relation" scheme="URI" content="rzajbrzajbttrouble.htm" />
|
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|
<meta name="DC.Format" content="XHTML" />
|
|
<meta name="DC.Identifier" content="rzajb8a0-creating_sd" />
|
|
<meta name="DC.Language" content="en-us" />
|
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|
<!-- US Government Users Restricted Rights -->
|
|
<!-- Use, duplication or disclosure restricted by -->
|
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|
<title>Create IP filter rules</title>
|
|
</head>
|
|
<body id="rzajb8a0-creating_sd"><a name="rzajb8a0-creating_sd"><!-- --></a>
|
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|
<h1 class="topictitle1">Create IP filter rules</h1>
|
|
<div><p>When you create a filter, you specify a rule that governs the IP
|
|
traffic flow in and out of your system.</p>
|
|
<div class="section"><div class="p">The rules you define specify whether the system should permit
|
|
or deny packets that attempt to access your system. The system directs IP
|
|
packets based on the type of information in the IP packet headers. It also
|
|
directs the IP packet to the action that you have specified the system to
|
|
apply. The system discards any packets that do not match a specific rule.
|
|
This automatic discard rule is called the <em>default deny rule</em>. Located
|
|
at the end of the file, the default deny rule is automatically activated any
|
|
time a packet does not match the criteria in any of the preceding rules. You
|
|
must have at least one filter rule activated for the default deny rule to
|
|
be active. <div class="important"><span class="importanttitle">Important:</span> When you apply rules to an interface through
|
|
which you are configuring the iSeries™ server, it is very important
|
|
that you permit your own workstation or that of anyone else who might be configuring
|
|
the iSeries server.
|
|
Failure to do so will result in a loss of communication with the iSeries server.
|
|
If this happens, you will need to log on to the iSeries server using an interface that
|
|
still has connectivity, such as the operators console. Use the RMVTCPTBL command
|
|
to remove all filters on the system.</div>
|
|
</div>
|
|
</div>
|
|
<div class="section"><p>Before you create your filter rules, you should determine whether
|
|
you need to use network address translation (NAT). If you use NAT rules,
|
|
you <em>must</em> define addresses and services. NAT is the only function that
|
|
requires a defined address, but you can use it for other functions as well.
|
|
If you define addresses and services, you can reduce the number of rules that
|
|
you must create as well as minimizing the possibility of typographical errors.</p>
|
|
</div>
|
|
<div class="section"><div class="p">Here are some other ways you can use to minimize error and maximize
|
|
efficiency when creating filter rules: <ul><li>Define one filter rule at a time. For example, create all the permits
|
|
for Telnet at the same time. This way you can group associate the rules whenever
|
|
you refer to them.</li>
|
|
<li>Filter rules are processed in the order that they appear in the file.
|
|
Be sure to order the rules the way you intend them to be applied when you
|
|
create them. If the order is incorrect, your system is vulnerable to attack
|
|
because the packets will not be processed as you intend them to be. To make
|
|
things easier, consider the following optional actions: <ol><li>Place your filter set names in the FILTER_INTERFACE statement in the exact
|
|
same order in which the sets are physically defined in the file.</li>
|
|
<li>Place all filter rules in one set to avoid problems with set order.</li>
|
|
</ol>
|
|
</li>
|
|
<li>Verify the syntax of each rule as you go along. This is easier and faster
|
|
than debugging them all at once.</li>
|
|
<li>Create set names for groups of files that are logically associated with
|
|
each other. This is important because only one rule file can be active at
|
|
a time. See the following example.</li>
|
|
<li>Only write filter rules for the datagrams you want to permit. Everything
|
|
else will be discarded by the automatic deny rule.</li>
|
|
<li>Write rules for high traffic volume first.</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Example:</h4><p>Look at the <em>Create set names</em> tip
|
|
above. You might want to allow Telnet access to a number of internal users,
|
|
but not to all. To manage these rules easier, you can assign each of them
|
|
the set name <samp class="codeph">TelnetOK</samp>. A second criteria can allow Telnet
|
|
through a specific interface and block Telnet traffic from all others. In
|
|
this case, you need to create a second set of rules that block Telnet access
|
|
entirely. You can assign these rules the set name <samp class="codeph">TelnetNever</samp>.
|
|
By creating set names, you make it easier to distinguish the purpose of the
|
|
rule. It is also easier to determine which interfaces you intend to apply
|
|
to particular sets. Use all of the tips above to ease the process of creating
|
|
filters.</p>
|
|
</div>
|
|
<div class="section"><p>For instructions on how to create IP filter rules, use the Packet
|
|
Rules Editor online help.</p>
|
|
</div>
|
|
<div class="section"><h4 class="sectiontitle">Next topic</h4><p>After you create your filters, you might
|
|
want to <a href="rzajbrzajb88includessd.htm">Include files in packet rules</a> in the filter statement.
|
|
If not, the next step is to <a href="rzajbrzajb82filterinterfacessd.htm">Define IP filter interfaces</a> to
|
|
which the rules apply.</p>
|
|
</div>
|
|
</div>
|
|
<div>
|
|
<div class="familylinks">
|
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajbrzajbx1creatingnewrulessd.htm" title="Read the checklist that contains an overview of the tasks you must complete to ensure that your rules work properly when activated.">Configure packet rules</a></div>
|
|
<div class="previouslink"><strong>Previous topic:</strong> <a href="rzajbrzajb8bcreatingnatrulessd.htm" title="To use network address translation (NAT), you must define nicknames for the IP addresses you intend to use.">Create NAT rules</a></div>
|
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzajbrzajb82filterinterfacessd.htm" title="Define filter interfaces to establish the filter rules that you want the system to apply to each interface.">Define IP filter interfaces</a></div>
|
|
</div>
|
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|
<div><a href="rzajbrzajb4natsd.htm" title="Network address translation (NAT) allows you to access the Internet safely without having to change your private network IP addresses.">Network address translation (NAT)</a></div>
|
|
</div>
|
|
<div class="relref"><strong>Related reference</strong><br />
|
|
<div><a href="rzajbrzajbttrouble.htm" title="This topic provides troubleshooting advice for some common packet rules problems.">Troubleshoot packet rules</a></div>
|
|
</div>
|
|
</div>
|
|
</body>
|
|
</html> |