To see all my blog posts on IP filtering see here.
To test the filtering rules you can using the traffic test option of the Unix ipsec -t command.
You need to explicitly give the IP addresses such as 10.1.0.2. Using a subnet 10.1.0.2/24 or other ways, does not work.
The icmp syntax is
For my laptop with address 10.1.0.2 to z/OS on 10.1.1.2
ipsec -t 10.1.0.2 10.1.1.2 icmp -p tcpip > a
You cannot specify the icmp type.
This gave a lot of information, most of which is not very interesting , for example
FilterName: icmpinspecific
FilterNameExtension: n/a
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: n/a
....
Using the ISPF macro na (below) this removes boring information, and gave for each rule
FilterName: icmpinspecific
Type: Generic
Action: Permit
Direction: Inbound
Logging: All
Protocol: ICMP(1)
ICMPType: 8
SourceAddress: 10.1.0.2
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DiscardAction: Silent
Searching for ICMPType this gave one record with 8 and two with All.
Note: DestAddress: 0.0.0.0 and DestAddressPrefix: 0 means that IpDestAddr was not specified in the rule.
You also need to check the return route exists from z/OS to the laptop
ipsec -t 10.1.1.2 10.1.0.2 icmp -p tcpip > a
The TCP/IP syntax is
ipsec -t 10.1.0.2 10.1.1.2 tcp 4000 443 -p tcpip > a
This is for a web server request from address 10.1.0.2 port 4000 to port 443 on address 10.1.1.2. Port 443 is the “well known (to my users) ” port for the web server. The web clients IP port is allocated by TCP – usually the first available free port.
It displays 3 records
FilterName: Colin443
...
FilterName: DenyAllRule_Generated___________Inbnd
...
FilterName: DenyAllRule_Generated___________Outbnd
...
Where Colin443 is the rule I wrote.
Using the ISPF macro na (below) this removes boring information and leaves
FilterName: Colin443
Type: Generic
Action: Permit
Direction: Inbound
Logging: None
Protocol: TCP(6)
SourceAddress: 10.1.0.2
SourcePort: All
DestAddress: 10.1.1.2
DestPort: 443
DiscardAction: Silent
For my web server to work I also need to have the reverse path from 10.1.1.2 port 443 to 10.1.0.2 port 4000.
ipsec -t 10.1.1.2 10.1.0.2 tcp 443 4000 -p tcpip >a
FilterName: Out443
Type: Generic
Action: Permit
Direction: Outbound
Logging: All
Protocol: TCP(6)
SourceAddress: 10.1.1.2
SourcePort: 443
DestAddress: 10.1.0.2
DestPort: All
DiscardAction: Silent
ISPF macro na
This ISPF macro removes irrelevant information such as all the lines with not-applicable (“n/a”), and only the fields I thought important; FilterName: xtension:….
This macro needs to be put in a clist/rexx library. For example use the tso ISRDDN command, and look for DDNAME SYSPROC. This has a list of “clist” datasets which are available to you.
/* REXX */
/* macro to display only interesting field from ipsec command
*/
ADDRESS ISPEXEC
'ISREDIT MACRO'
trace o
"ISREDIT exclude all "
"ISREDIT find 'n/a' all"
"ISREDIT delete all nx "
"ISREDIT reset "
/* only display these fields */
w = "FilterName: xtension: Type Action Direction",
"Logging Protocol Address Port ******"
"ISREDIT exclude all "
do i = 1 to words(w)
"ISREDIT find '"word(w,i)"' all"
end
"ISREDIT delete all x "
"ISREDIT reset "
ColinPaice 
One thought on “CS IP Filtering: testing the rules”