friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
14ed2849c6
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzatj_5.4.0.1/packetff.htm

135 lines
6.8 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="dc.language" scheme="rfc1766" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<meta name="dc.date" scheme="iso8601" content="2005-09-06" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2004, 2006" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow"/>
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<title>IP Packet Filter Firewall</title>
<link rel="stylesheet" type="text/css" href="ibmidwb.css" />
<link rel="stylesheet" type="text/css" href="ic.css" />
</head>
<body>
<a id="Top_Of_Page" name="Top_Of_Page"></a><!-- Java sync-link -->
<script language = "Javascript" src = "../rzahg/synch.js" type="text/javascript"></script>
<a name="packetff"></a>
<h3 id="packetff">IP Packet Filter Firewall</h3>
<p>An IP packet filter firewall allows you to create a set of rules that either
discard or accept traffic over a network connection. The firewall itself does
not affect this traffic in any way. Because a packet filter can only discard
traffic that is sent to it, the device with the packet filter must either
perform IP routing or be the destination for the traffic.</p>
<p>A packet filter has a set of rules with accept or deny actions. When the
packet filter receives a packet of information, the filter compares the packet
to your pre-configured rule set. At the first match, the packet filter either
accepts or denies the packet of information. Most packet filters have an implicit
deny all rule at the bottom of the rules file.</p>
<p>Packet filters usually permit or deny network traffic based on:</p>
<ul>
<li>Source and destination IP addresses</li>
<li>Protocol, such as TCP, UDP, or ICMP</li>
<li>Source and destination ports and ICMP types and codes</li>
<li>Flags in the TCP header, such as whether the packet is a connect request</li>
<li>Direction (inbound or outbound)</li>
<li>Which physical interface the packet is traversing</li></ul>
<p>All packet filters have a common problem: the trust is based on IP addresses.
Although this security type is not sufficient for an entire network, this
type of security is acceptable on a component level.</p>
<p>Most IP packet filters are stateless, which means they do not remember
anything about the packets they previously process. A packet filter with state
can keep some information about previous traffic, which gives you the ability
to configure that only replies to requests from the internal network are allowed
from the Internet. Stateless packet filters are vulnerable to spoofing since
the source IP address and ACK bit in the packet's header can be easily forged
by attackers.</p>
<p>i5/OS&trade; lets you specify packet filter rules on interfaces
and remote access service profiles. See the following topics for more details: <a href="../rzajb/rzajbrzajb8a0creatingsd.htm">Create IP filter rules</a> and <a href="../rzaiy/rzaiygetstart.htm">Remote Access Services: PPP connections</a>. If you are using either an external
packet filter firewall or packet filter rules on the i5/OS and your Universal Connection data
passes through these filters, you must change the filter rules to allow the
connection to the IBM&reg; VPN Gateway as follows:</p>
<a name="wq3"></a>
<table id="wq3" width="100%" summary="" border="1" frame="border" rules="all">
<thead valign="bottom">
<tr>
<th id="wq4" width="39%" align="left" valign="top">IP filter rules</th>
<th id="wq5" width="60%" align="left" valign="top">IP filter values</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td headers="wq4">UDP inbound traffic filter rule</td>
<td headers="wq5">Allow port 4500 for VPN gateway addresses</td>
</tr>
<tr>
<td headers="wq4">UDP inbound traffic filter rule</td>
<td headers="wq5">Allow port 500 for VPN gateway addresses</td>
</tr>
<tr>
<td headers="wq4">UDP outbound traffic filter rule</td>
<td headers="wq5">Allow port 4500 for VPN gateway IP addresses</td>
</tr>
<tr>
<td headers="wq4">UDP outbound traffic filter rule</td>
<td headers="wq5">Allow port 500 for VPN gateway IP addresses</td>
</tr>
<tr>
<td headers="wq4">ESP inbound traffic filter rule</td>
<td headers="wq5">Allow ESP protocol (X'32') for VPN gateway IP addresses</td>
</tr>
<tr>
<td headers="wq4">ESP outbound traffic filter rule</td>
<td headers="wq5">Allow ESP protocol (X'32') for VPN gateway IP addresses</td>
</tr>
</tbody>
</table>
<p>For those Universal Connection applications that use HTTP
and HTTPs for a transport, you must change the filter rules to allow connections
to the IBM service destinations as follows:</p>
<a name="wq6"></a>
<table id="wq6" width="100%" summary="" border="1" frame="border" rules="all">
<thead valign="bottom">
<tr>
<th id="wq7" width="39%" align="left" valign="top">IP filter rules</th>
<th id="wq8" width="60%" align="left" valign="top">IP filter values</th>
</tr>
</thead>
<tbody valign="top">
<tr>
<td headers="wq7">TCP inbound traffic filter rule</td>
<td headers="wq8">Allow port 80 for all service destination addresses</td>
</tr>
<tr>
<td headers="wq7">TCP inbound traffic filter rule</td>
<td headers="wq8">Allow port 443 for all service destination addresses</td>
</tr>
<tr>
<td headers="wq7">TCP outbound traffic filter rule</td>
<td headers="wq8">Allow port 80 for all service destination addresses</td>
</tr>
<tr>
<td headers="wq7">TCP outbound traffic filter rule</td>
<td headers="wq8">Allow port 443 for all service destination addresses</td>
</tr>
</tbody>
</table>
<p>Part of changing the filter rules involves specifying an actual IBM VPN Gateway
address. You can determine these addresses as described in <a href="detvpnaddy.htm#detvpnaddy">Determine the IBM VPN Gateway addresses</a>.</p>
<p>In addition, for HTTP and HTTPs traffic, part of changing the
filter rules may involve specifying actual service destination addresses.
You can determine these addresses as described in <a href="detsdaddy.htm#detsdaddy">Determine the IBM Service Destination addresses</a>.</p>
<p>For more information, see the <a href="../rzajb/rzajbrzajb1whatis.htm">Packet rules concepts</a> topic.</p>
<a id="Bot_Of_Page" name="Bot_Of_Page"></a>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink