CS IP filtering: allowing/denying packets flowing through z/OS

Uncategorized 2 Minutes

To see all my blog posts on IP filtering see here.

For the Communications Server on z/OS, you can define:

  • Default rules in the TCPIP profile, to allow traffic.
  • Named rules using Policy agent. These can allow or deny access.
  • Dynamic rules which can be automated, for example external monitors, using DMD to deny traffic. These are usually used in a problem situation to quickly deny traffic.

Writing of event messages is done using the TRMD task. The messages go to the syslogd daemon, to files in Unix.

Define default rules

The default default rule is to deny all access. You then specify rules to give access.

You can define default rules in the TCPIP profile – or replace them using an OBEYFILE

IPSEC LOGENable 
; Rule SourceIp DestIp Logging      Prot SrcPort   DestPort ...
  IPSECRULE 10.1.0.2 * LOG Protocol icmp Type 8 
  IPSECRULE * 10.1.0.2   LOG Protocol icmp 
ENDIPSEC

This enables the default rules. It enables only

  • Ping traffic (icmp type 8) from 10.1.0.2 to any address
  • Any icmp from any address to 10.1.0.2. Note the response to ping is icmp type 0

If you use the OBEYFILE, the file contents replace any existing IPSEC default. So to add or remove an entry; edit the file, and use OBEYFILE to activate it.

Display the rules using

ipsec -f display -p TCPIP -c profile

The trace record looks like

EZD0814I Packet permitted: 11/18/2023 19:00:42.59 filter 
rule=SYSDEFAULTRULE.1 ext= 2 sipaddr= 10.1.0.2 dipaddr= 10.1.1.2 
proto= icmp(1) type= 8 code= 0 -= Interface= 10.1.1.2 (I) 
secclass= 255 dest= local len= 84 vpnaction= N/A tunnelID= 
N/A ifcname= ETH1 fragment= N

Using the policy agent

The Policy agent uses a different syntax to using the IPSEC statments in the TCPIP profile. It can be used to allow and deny traffic (rather than just allow traffic). You can have common definitions which may make it easier to manage. It reads the policy from a file, and passes the policy to TCPIP.

Defensive rules

Defensive rules are created using the Unix command ipsec. The rules are used to deny (or simulate deny) traffic, and are typically used to restrict traffic in a problem situation. If you specify simulate, there is no impact to the traffic, but an event is written to syslogd.

If you use default rules or policy agent, you have to change a file, and redeploy it. With a defensive rule you define it, and it is immediately active.

You can delete an individual defensive rule.

Rather than have every event logged, which might overwhelm your system, it can be configured to provide summary records.

You can configure the defensive rule so that it expires after a time period.

Unknown's avatar

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it! I'm now an #IBMChampion from my work trying to make z/OS product more usable.

Published

One thought on “CS IP filtering: allowing/denying packets flowing through z/OS

  1. Pingback: CS IP Filtering: start here – ColinPaice

Leave a comment