CS IP filtering:configuring Defence Manager Daemon (DMD)

To see all my blog posts on IP filtering see here.

With Communications Server(CS) on z/OS you can use filters to manage IP traffic in your TCPIP image. You can allow or deny a IP packet.

You can define

• Default rules to allow traffic, in TCPIP Profile
• To define a set of named rules using Policy agent. These can allow or deny access
• Individual dynamic rules which can be automated, for example external monitors, using DMD

The ipsec command to define dynamic rules. It needs the DMD daemon to be running.

Update the syslogd daemon

You need a statement like

.DMD..* /var/log/DMD.%Y.%m.%d

In the /etc/syslog.conf file.

DMD started task JCL

This was copied from TCPIP.SEZAINST(EZADMD).

//DMD PROC 
//DMD EXEC PGM=DMD,REGION=0K,TIME=NOLIMIT, 
// PARM='ENVAR("_CEE_ENVFILE_S=DD:STDENV")/' 
//* DMD_FILE=/etc/security/dmd.conf 
//* DMD_CTRACE_MEMBER=CTIDMD00 
//* DMD_PIDFILE=/var/dm/dmd.pid 
//* DMD_CODEPAGE=IBM-1047 
//STDENV DD * 
DMD_FILE=//'USER.Z24C.TCPPARMS(DMD)' 
//SYSPRINT DD SYSOUT=* 
//SYSOUT DD SYSOUT=* 

My configuration file for testing is

DMConfig 
{ 
  SyslogLevel 7 
  DefensiveFilterDirectory /var/log/filters 
} 
DmStackConfig TCPIP 
{ 
  Mode  Simulate
} 

I do not know what authority it needs to run. It runs as userid START1 on my ADCD system.

You start it with S DMD .

You stop it using P DMD .

You can display information

f dmd,display

You can tell it to refresh its few lines of configuration.

F DMD,REFRESH
EZD1622I DEFENSE MANAGER DAEMON CONFIGURATION PROCESSING IS COMPLETE USING FILE //'USER.Z24C.TCPPARMS(DMD)'