Tag: IP filtering

CS IP Filtering: start here

With Communications Server (CS) on z/OS, which I think of as the TCPIP started task, you can set up packet filtering. You define rules to allow or deny a packet into or out of TCP, based on criteria such as source IP address, destination IP port and address. The action can be to allow the packet into (or out of) TCP/IP, to quietly drop the packet, or to drop the packet but send an icmp response back to the originator. You can also log information about the packet. You could configure the rules so normal traffic is allowed access and not logged, but data from other addresses can be denied, and the event logged. You can review the traffic and set up rules to allow it, or to determine why someone is trying to access your system.

This is know as IPSECurity, and there is a product Vertali zTrust for Networks which interfaces to IPSEC and RACF to manage the environment using standard security tools.

There are three levels of rules

  • Default – these are configured when the TCPIP address space starts – ensuring you do not have a window when there are no rules defined. This might be deny access to all, except the system programmers.
  • From the Policy Agent – this is the normal source of rules.
  • Defensive rules – you can create additional rules on the fly for when there is a problem. These rules can be configured to expire after a time period, for example 30 minutes.

Set up

You have to configure several address spaces, for example:

  • TCPIP – to enable packet filtering, and to define the default(initial) rules.
  • Policy Agent to define the rules used in normal operation.
  • TRMD. This address space takes event information and writes it to the UNIX syslog daemon.
  • SYSLOGD. This is a central service which is sent event data, and the daemon writes the data to one or more files – depending on the configuration and the originating program. Without this events are not logged.
  • DMD – this processes the defensive rules and updates the TCPIP address space.

As usual there are started tasks to create, and define to WLM, security profiles to allow these started tasks to run, and profiles to allow users to administer IPSec packet filtering.

I have written some blog posts to help you navigate the journey. They are written to provide additional information to what is provided by IBM.

Blog posts

CS IP filtering: “standard IP flows”

To see all my blog posts on IP filtering see here.

When setting up rules for IP filtering, I discovered the following, which you might want to define rules for.

Ping

This is an icmp request type 8. The response is an icmp type 0

Traceroute

This can be protocol icmp or udp.

See “Understanding traceroute”

With protocol udp it sends packets to the IP address with different hop count. The first hop is typically port 33434, the second hop is 33435 etc. When traceroute gets the response back, it knows how far the packet got before the hop count went to zero.

To support traceroute, you need to allow IP traffic with ports in the range 33434… the upper limit which is normally less than 33434 + 100.

FTP

See Trying to use FTP.

SFTP

uses port 22.

X3270

You can configure multiple ports in TCPIP, for example one for TLS, and one for non TLS.

You need to have rules for both inbound and outbound traffic specifying the x3270 port.

Internet Group Management Protocol (IGMP)

The Internet Group Management Protocol (IGMP) is a protocol that allows several devices to share one IP address so they can all receive the same data. IGMP is a network layer protocol used to set up multicasting on networks that use the IPv4. Specifically, IGMP allows devices to join a multicasting group.

I had an interface name ETH2 type (IntfType): IPAQENET with IpAddr: 192.168.1.74/0.

I had log records like

source IP Address 192.168.1.254 destination IP address 224.0.0.1
proto=igmp

OMPROUTE

This supports OSPF

When I started OMRPOUTE on z/OS I had a log record with

source IP address 10.1.1.2 destination IP addr= 224.0.0.5 proto= ospf(89)
type= 1 outbound

OMPROUTE also gave a message (every 10 seconds)

EZZ8052I OMPROUTE SEND TO 224.0.0.5 BLOCKED BY TCPIP WHEN USING ETH1

When I started frr on a Linux machine I got a log entry

Source IP address 10.1.1.1 Destination IP address = 224.0.0.5 proto= ospf(89)
type= 1 Interface= 10.1.1.2 Inbound

Which shows it came in over the z/OS interface 10.1.1.2 attached to my Linux machine

CS IP filtering: how to find which rules have been used.

To see all my blog posts on IP filtering see here.

With IP filtering you defined rules to allow or deny to flow in or out of TCP/IP . These rules are defined using the Policy Agent, and you can display information about the rules using the UNIX ipsec command IP filter -f option.

For example the command

ipsec -f display -c current > a

produces a report which includes

FilterName:                   icmpinspecific2 
Type:                         Generic 
Action:                       Permit 
Direction:                    Inbound 
Logging:                      All 
Protocol:                     ICMP(1) 
ICMPType:                     8 
SourceAddress:                10.1.0.2 
DestAddress:                  0.0.0.0 
DestAddressPrefix:            0 
DiscardAction:                Silent 
FilterMatches:                1

Which shows this filter matched once.

You lose history

If you refresh the policy agent, then the data may be reset – and any statistics lost. You should consider extracting the data, periodically, (such as half hourly), processing it and saving the results for later analysis. Plotting which rules were matched by day, and by time of day may give you insight as to the traffic and provide a base line for when you are investigating incidents.

SMF

SMF 119 subtype 2 records gives information for each connection . I do not know if there is a formatter for the SMF 119 records.

Extracting useful information from the ipsec command

I used the ISPF edit macro na to remove the not applicable stuff, and wrote a macro nafm to hide all the records which have no match.

/* REXX */ 
ADDRESS ISPEXEC 
'ISREDIT MACRO' 
trace o 
"ISREDIT locate .ZFIRST          " 
do I = 1 by 1 
  "ISREDIT find  'FilterMatches:'" 
  if rc <> 0 then leave 
   "ISREDIT       (data)= LINE    .ZCSR " 
   parse var data p1 p2  . 
   if p2 <> 0 then iterate 
   /* value is zero so go back and exclude the block */ 
  "ISREDIT find  'FilterName:' prev" 
   "ISREDIT         (f1    ) = LINENUM .ZCSR " 
  "ISREDIT find  '***********'     " 
   "ISREDIT         (f2    ) = LINENUM .ZCSR " 
   do j = f1 to f2 /* suppress the rows  */
     /* exclude the row  */
     "ISREDIT   XSTATUS " j "= X "
    end 
 end 
 "ISREDIT locate .ZFIRST          "

This gave me

-  -  -  -  -  -  - -  -  77 Line(s) not Displayed 
FilterName:                   icmpinspecific2 
Type:                         Generic 
Action:                       Permit 
Direction:                    Inbound 
Logging:                      All 
Protocol:                     ICMP(1) 
ICMPType:                     8 
SourceAddress:                10.1.0.2 
DestAddress:                  0.0.0.0 
DestAddressPrefix:            0 
DiscardAction:                Silent 
FilterMatches:                1 
*********************************************************************** 
-  -  -  -  -  -  - -  -  25 Line(s) not Displayed

You can now issue commands like “delete all x” to delete the records which had no hits, or “delete all nx” to delete the records which had hits, leaving the unused records.