ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajb_5.4.0.1/rzajbrzajbttrouble.htm

120 lines
7.7 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="reference" />
<meta name="DC.Title" content="Troubleshoot packet rules" />
<meta name="abstract" content="This topic provides troubleshooting advice for some common packet rules problems." />
<meta name="description" content="This topic provides troubleshooting advice for some common packet rules problems." />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb0ippacketsecuritysd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb0dexample2.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb8accessingsd.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb8a0creatingsd.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajbt-trouble" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Troubleshoot packet rules</title>
</head>
<body id="rzajbt-trouble"><a name="rzajbt-trouble"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Troubleshoot packet rules</h1>
<div><p>This topic provides troubleshooting advice for some common packet
rules problems.</p>
<div class="section"><ul><li><strong>iSeries™ communications
trace</strong> capability allows you to see all datagram traffic for a specified
interface. Use the <span class="cmdname">Start Communications Trace (STRCMNTRC)</span> and <span class="cmdname">Print
Communications Trace (PRTCMNTRC)</span> commands to collect and print the
information. </li>
<li><strong>NAT and IP filtering rule order</strong> determines how your rules are processed.
They are processed in the order which they appear in the file. If the order
is not correct, the packets will not be processed as you intend. This will
leave your system vulnerable to attack. Place your filter set names in the
FILTER_INTERFACE statement in the exact same order in which the sets are physically
defined in the file. <p>See the <a href="rzajbrzajb8a0creatingsd.htm#rzajb8a0-creating_sd">Create
IP filter rules</a> topic for more information about writing syntactically
correct filter rules. Remember the process shown in the following table.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="border" border="1" rules="all"><thead align="left"><tr><th align="left" valign="top" width="50%" id="d0e47">Inbound traffic process</th>
<th align="left" valign="top" width="50%" id="d0e49">Outbound traffic process</th>
</tr>
</thead>
<tbody><tr><td align="left" valign="top" width="50%" headers="d0e47 ">1. NAT rules</td>
<td align="left" valign="top" width="50%" headers="d0e49 ">1. IP filter rules</td>
</tr>
<tr><td valign="top" width="50%" headers="d0e47 ">2. IP filter rules</td>
<td valign="top" width="50%" headers="d0e49 ">2. NAT rules</td>
</tr>
</tbody>
</table>
</div>
</li>
<li><strong>Removing all rules</strong> is the best way to reset your system and clear
out errors. On the iSeries, issue the following command: <span class="cmdname">RMVTCPTBL
(Remove TCP/IP Table)</span>. If you lock yourself out of the iSeries Navigator
application, you can also use this command to go back and repair any rules.
<div class="note"><span class="notetitle">Note:</span> The <span class="cmdname">Remove TCP/IP Table</span> command also starts the
VPN servers— only if the VPN servers (IKE and ConMgr) were running before. </div>
</li>
<li><strong>Allowing IP datagram forwarding</strong> in your TCP/IP configuration on
the iSeries server
is essential if you are using NAT. Use the <span class="cmdname">Change TCP/IP Attributes
(CHGTCPA)</span> command to verify that IP datagram forwarding is set to
YES.</li>
<li><strong>Verifying default return routes</strong> ensures that the address that you
map to or hide behind is correct. This address must be routable on the return
route back to the iSeries server and pass through the correct line
to be untranslated by NAT. <div class="note"><span class="notetitle">Note:</span> If your iSeries server has more than one network,
or line, connected to it, you should be especially careful about routing inbound
traffic. Inbound traffic is handled on any line that it enters on, which might
not be the correct line waiting to untranslate it.</div>
</li>
<li><strong>Viewing error and warning messages</strong> in the <samp class="codeph">EXPANDED.OUT</samp> file
to ensure the rules are ordered as you intend. When you verify and activate
a set of filters, these filters are merged with any iSeries Navigator-generated rules. The
combination produces the merged rules in a new file called <samp class="codeph">EXPANDED.OUT</samp>,
which is placed in the same directory that contains your rules (typically
/QIBM). Warning and error messages refer to this file. To view this file,
complete the following steps to open it from the Packet Rules Editor. <ol><li>Access the Packet Rules Editor in iSeries Navigator.</li>
<li>From the <span class="uicontrol">File</span> menu, select <span class="uicontrol">Open</span>.</li>
<li>Go to the directory, <samp class="codeph">QIBM/UserData/OS400/TCPIP/PacketRules/</samp> or
to the directory where you have saved your packet rules if it's different
than the default.</li>
<li>From the <span class="uicontrol">Open file</span> window, select <span class="uicontrol">EXPANDED.OUT
file</span>. The <samp class="codeph">EXPANDED.OUT</samp> file should appear. </li>
<li>Select this file and click <span class="uicontrol">Open</span>.</li>
</ol>
<p>The EXPANDED.OUT file is for your information only. You cannot edit
it.</p>
</li>
</ul>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajbrzajb0ippacketsecuritysd.htm" title="IP filtering and network address translation (NAT) act like a firewall to protect your internal network from intruders.">IP filtering and network address translation</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajbrzajb0dexample2.htm" title="In this scenario, your company uses static network address translation (NAT) to map its private IP addresses to public addresses.">Scenario: Map IP addresses using NAT</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzajbrzajb8accessingsd.htm" title="Use the Packet Rules Editor to start creating packet rules on your system.">Access packet rules</a></div>
</div>
<div class="relref"><strong>Related reference</strong><br />
<div><a href="rzajbrzajb8a0creatingsd.htm" title="When you create a filter, you specify a rule that governs the IP traffic flow in and out of your system.">Create IP filter rules</a></div>
</div>
</div>
</body>
</html>