CS IP Filtering : use of DiscardAction to send an icmp response back

IP filtering 1 Minute

To see all my blog posts on IP filtering see here.

With IP filtering you can have an action which sends back a negative response to an ICMP request – rather that silently dropping the packet.

The documentation says

ImplicitDiscardAction
Indicates the discard action that is to be applied to packets that are denied by the implicit deny all rule at the end of the filter table. If a packet does not match any of the filter rules defined in Policy Agent, then the packet is denied by an implicit deny all rule.

  • Silent: Specify this value to discard the packet silently.
  • ICMP: Specify this value to send an ICMP or ICMPv6 destination unreachable error with reason administratively prohibited to the origin of the discarded packet. ICMP errors are not generated for locally originated traffic; they are generated only for remote traffic that is being received or forwarded.

For example 

IpGenericFilterAction denyit 
{ 
  IpFilterAction deny 
  DiscardAction    ICMP 
  IpFilterLogging yes 
} 
# input rule
IpFilterRule icmpinall 
{ 
  IpSourceAddr 10.1.0.0/24 
  IpDestAddr   10.1.1.2 
  IpGenericFilterActionRef denyit 
  IpService 
  { 
    Protocol icmp 
    Direction inbound 
    Routing local 
  } 
} 

# Need a rule to allow the traffic to go out
IpFilterRule icmpout 
{ 
  IpSourceAddr 10.1.1.2 
  IpDestAddr   10.1.0.0/24
  IpGenericFilterActionRef permit 
  IpService 
  { 
    Protocol icmp 
    Direction outbound 
    Routing local 
  } 
}
# Action for outbound ICMP packets
IpGenericFilterAction permit 
{ 
  IpFilterAction permit 
  IpFilterLogging yes 
}

Output

If the action is silent, then ping gives

ping 10.1.1.2 
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
^C
--- 10.1.1.2 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2035ms

if the action is ICMP the output is 

colinpaice@colinpaice:~$ ping 10.1.1.2 
PING 10.1.1.2 (10.1.1.2) 56(84) bytes of data.
From 10.1.1.2 icmp_seq=1 Packet filtered
From 10.1.1.2 icmp_seq=2 Packet filtered
^C
--- 10.1.1.2 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1002ms

A wireshark trace of the response is

Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 13 (Communication administratively filtered)
  • Type 3 is Destination Unreachable.
  • Code 13 is Communication Administratively Prohibited

Published by Colin Paice

I retired from IBM where I worked on MQ on z/OS, and did customer stuff. I retired, and keep my hand in with MQ, by playing with it! I'm now an #IBMChampion from my work trying to make z/OS product more usable.

Published

One thought on “CS IP Filtering : use of DiscardAction to send an icmp response back

  1. Pingback: CS IP Filtering: start here – ColinPaice

Leave a comment