CS IP filtering: adding default rules

IP filtering 2 Minutes

To see all my blog posts on IP filtering see here.

You can use the IP filtering component of z/OS Communications Server to allow or deny packets through a TCPIP stack.

You can define

  • Default rules to allow traffic, in TCPIP Profile.
  • Named rules using Policy agent. These can allow or deny access.
  • Dynamic rules which can be automated, for example external monitors, using DMD.

Define default rules

You can define default rules in the startup TCPIP profile – or replace them using an OBEYFILE

IPSEC LOGENable 
; Rule SourceIp DestIp Logging      Prot SrcPort   DestPort ...
  IPSECRULE 10.1.0.2 * LOG Protocol icmp Type 8 
  IPSECRULE * 10.1.0.2   LOG Protocol icmp 
ENDIPSEC

This enables the default rules. It allow only

  • Ping traffic (icmp type 8) from 10.1.0.2 to any address
  • Any icmp from any address to 10.1.0.2. Note the response to ping is icmp type 0

Any other requests are denied.

A rule SYSDEFAULTDENYRULE is automatically defined. This denies all packets which are not covered by other rules. If you want to log the action of this rule you need

IPSEC LOGENable LOGIMPLICIT

This logs an event like

EZD0815I Packet denied by policy: 11/21/2023 17:11:34.71 
filter rule= SYSDEFAULTDENYRULE ext= 2 
sipaddr= 10.1.0.2 dipaddr= 10.1.1.2 proto= icmp(1) type= 8 code= 0 -= 
Interface= 10.1.1.2 (I) secclass= 255 dest= local len= 84 
vpnaction= N/A tunnelID= N/A ifcname= ETH1 fragment= N

This could produce a lot of output. NOLOGIMPLICT means do not log packets denied by this rule.

When setting this up for the first time you might want to use

IPSEC LOGENable LOGIMPLICIT
IPSECRULE * *    NOLOG Protocol *

Then build up rules such as 

IPSECRULE 10.1.0.0/24 *    LOG Protocol *

With this you will get messages in the syslogd file, you can then build up rules to cover the valid cases – then change LOG to NOLOG

If you use the OBEYFILE, the file contents replace any existing IPSEC default. So to add or remove an entry; edit the file, and use OBEYFILE to activate it.

Display the rules using

ipsec -f display -p TCPIP -c profile

The trace record looks like

EZD0814I Packet permitted: 11/18/2023 19:00:42.59 filter 
rule=SYSDEFAULTRULE.1 ext= 2 sipaddr= 10.1.0.2 dipaddr= 10.1.1.2 
proto= icmp(1) type= 8 code= 0 -= Interface= 10.1.1.2 (I) 
secclass= 255 dest= local len= 84 vpnaction= N/A 
tunnelID= N/A ifcname= ETH1 fragment= N

Observations on the default rules

Some of the definitions seem strange to me!

Using

IPSECRULE 10.1.0.2 10.1.1.2 LOG Protocol icmp direction inbound
IPSECRULE 10.1.1.2 10.1.0.2 LOG Protocol icmp direction outbound

This works as I expect, it allows an inbound icmp request from 10.1.0.2(my laptop) to 10.1.1.2 ( z/OS), and an outbound request from z/OS to my laptop.

If I display the rules using ipsec -f display -p TCPIP

I get 

FilterName:              SYSDEFAULTRULE.1
FilterNameExtension:     1
Direction:               Inbound
Logging:                 All
Protocol:                ICMP(1)
SourceAddress:           10.1.0.2 
DestAddress:             10.1.1.2

and 

FilterName:              SYSDEFAULTRULE.2 
Direction:               Outbound 
Protocol:                ICMP(1) 
OSPFType:                n/a 
TCPQualifier:            n/a 
ProtocolGranularity:     n/a 
SourceAddress:           10.1.1.2 
DestAddress:             10.1.0.2

See Using Direction bidirectional drove me crazy if you were thinking of using direction bidirectional.

Unknown's avatar

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it! I'm now an #IBMChampion from my work trying to make z/OS product more usable.

Published

One thought on “CS IP filtering: adding default rules

  1. Pingback: CS IP Filtering: start here – ColinPaice

Leave a comment