CS IP filtering: how to find which rules have been used.

IP filtering 2 Minutes

To see all my blog posts on IP filtering see here.

With IP filtering you defined rules to allow or deny to flow in or out of TCP/IP . These rules are defined using the Policy Agent, and you can display information about the rules using the UNIX ipsec command IP filter -f option.

For example the command

ipsec -f display -c current > a

produces a report which includes

FilterName:                   icmpinspecific2 
Type:                         Generic 
Action:                       Permit 
Direction:                    Inbound 
Logging:                      All 
Protocol:                     ICMP(1) 
ICMPType:                     8 
SourceAddress:                10.1.0.2 
DestAddress:                  0.0.0.0 
DestAddressPrefix:            0 
DiscardAction:                Silent 
FilterMatches:                1

Which shows this filter matched once.

You lose history

If you refresh the policy agent, then the data may be reset – and any statistics lost. You should consider extracting the data, periodically, (such as half hourly), processing it and saving the results for later analysis. Plotting which rules were matched by day, and by time of day may give you insight as to the traffic and provide a base line for when you are investigating incidents.

SMF

SMF 119 subtype 2 records gives information for each connection . I do not know if there is a formatter for the SMF 119 records.

Extracting useful information from the ipsec command

I used the ISPF edit macro na to remove the not applicable stuff, and wrote a macro nafm to hide all the records which have no match.

/* REXX */ 
ADDRESS ISPEXEC 
'ISREDIT MACRO' 
trace o 
"ISREDIT locate .ZFIRST          " 
do I = 1 by 1 
  "ISREDIT find  'FilterMatches:'" 
  if rc <> 0 then leave 
   "ISREDIT       (data)= LINE    .ZCSR " 
   parse var data p1 p2  . 
   if p2 <> 0 then iterate 
   /* value is zero so go back and exclude the block */ 
  "ISREDIT find  'FilterName:' prev" 
   "ISREDIT         (f1    ) = LINENUM .ZCSR " 
  "ISREDIT find  '***********'     " 
   "ISREDIT         (f2    ) = LINENUM .ZCSR " 
   do j = f1 to f2 /* suppress the rows  */
     /* exclude the row  */
     "ISREDIT   XSTATUS " j "= X "
    end 
 end 
 "ISREDIT locate .ZFIRST          "

This gave me

-  -  -  -  -  -  - -  -  77 Line(s) not Displayed 
FilterName:                   icmpinspecific2 
Type:                         Generic 
Action:                       Permit 
Direction:                    Inbound 
Logging:                      All 
Protocol:                     ICMP(1) 
ICMPType:                     8 
SourceAddress:                10.1.0.2 
DestAddress:                  0.0.0.0 
DestAddressPrefix:            0 
DiscardAction:                Silent 
FilterMatches:                1 
*********************************************************************** 
-  -  -  -  -  -  - -  -  25 Line(s) not Displayed

You can now issue commands like “delete all x” to delete the records which had no hits, or “delete all nx” to delete the records which had hits, leaving the unused records.

Unknown's avatar

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it! I'm now an #IBMChampion from my work trying to make z/OS product more usable.

Published

One thought on “CS IP filtering: how to find which rules have been used.

  1. Pingback: CS IP Filtering: start here – ColinPaice

Leave a comment