ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzajb_5.4.0.1/rzajbrules_syntax.htm

82 lines
5.5 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Sample filter statements" />
<meta name="abstract" content="The purpose of this sample filter statement is to demonstrate the proper syntax for creating filter rules on your iSeries server and to show you how the various statements work together in a file." />
<meta name="description" content="The purpose of this sample filter statement is to demonstrate the proper syntax for creating filter rules on your iSeries server and to show you how the various statements work together in a file." />
<meta name="DC.Relation" scheme="URI" content="rzajbrzajb1afilter.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rules_syntax" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Sample filter statements</title>
</head>
<body id="rules_syntax"><a name="rules_syntax"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Sample filter statements</h1>
<div><p>The purpose of this sample filter statement is to demonstrate the
proper syntax for creating filter rules on your iSeries™ server and to show you how the
various statements work together in a file.</p>
<p>Use them as examples only.</p>
<p>A common filter statement might look like this: </p>
<p><samp class="codeph">FILTER SET TestFilter ACTION = PERMIT DIRECTION = INBOUND
SRCADDR = 162.56.39.100 DSTADDR = * PROTOCOL = * DSTPORT &gt;= 1024
SRCPORT = 80 </samp> </p>
<p>This filter will permit all traffic entering the interface (INBOUND) that
has a source address of 162.56.39.100, a source port of 80, and destination
port greater or equal to 1024. </p>
<p>Because IP traffic typically flows both INBOUND and OUTBOUND over a connection,
it is common to have two related statements to permit traffic in both directions.
These two statements are called mirrors of each other and can be seen in the
example that follows: </p>
<p><samp class="codeph">FILTER SET TestFilter ACTION = PERMIT DIRECTION = INBOUND
SRCADDR = 162.56.39.100 DSTADDR = * PROTOCOL = * DSTPORT &gt;= 1024
SRCPORT = 80 FILTER SET TestFilter ACTION = PERMIT DIRECTION = OUTBOUND
SRCADDR = * DSTADDR = 162.56.39.100 PROTOCOL = * DSTPORT = 80 SRCPORT
&gt;= 1024</samp></p>
<p>You might notice that both of these filter statements have the same set
name, TestFilter. All filters with the same set name are considered to be
in the same set. You can have any number of filters in a set. When you activate
filters within a given set, they are processed in the order in which they
appear in the file. </p>
<p>A filter statement alone will not have any effect when you activate rules.
You must apply the filter set to a filter interface. An example of applying
the set, TestFilter, to an Ethernet line interface is as follows: </p>
<p><samp class="codeph">FILTER_INTERFACE LINE = ETH237 SET = TestFilter </samp></p>
<div class="p">After you activate these rules, only IP traffic permitted by the TestFilter
set will be permitted over ETH237. <div class="note"><span class="notetitle">Note:</span> The system adds a default DENY ALL
TRAFFIC rule to the end of any activated filters on an interface. So, when
you apply rules to the interface through which you are configuring the iSeries server
, it is very important that you permit your own workstation or that of anyone
else who might be configuring the iSeries server. Failure to do so will
result in a loss of communication with the iSeries server.</div>
You can also apply
multiple sets to a filter interface statement such as in the following example:</div>
<p><samp class="codeph"> FILTER_INTERFACE LINE = ETH237 SET = set1, set2, set3</samp> </p>
<p> These sets will be processed in the same order as you list them in the
filter interface statement (set1, set2, and finally, set3). The filters within
each set are processed in the order in which they appear in the file. This
means that the ordering of filters between different sets is irrelevant.
Filter order only matters when filters are in the same set. </p>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajbrzajb1afilter.htm" title="Though not a fully functional firewall in itself, packet rules provide a solid component that can filter packets for your iSeries server.">IP filtering</a></div>
</div>
</div>
</body>
</html>