Explanation
This message is issued when limiting of filter
match messages was requested for a defensive filter and at least one "packet
denied" message (EZD1721I) for the defensive filter was suppressed
during the preceding five minutes.
In the message text:
- date
- The date on which this message was issued. This date is retrieved
from the system time-of-day clock, which usually reflects coordinated
universal time (UTC). This timestamp might be different than the syslogd
message timestamp.
- time
- The time at which this message was issued. This time is retrieved
from the system time-of-day clock, which usually reflects coordinated
universal time (UTC). This timestamp might be different than the syslogd
message timestamp.
- rulename
- The defensive filter rule name as specified on the -N option when
the defensive filter was added with the z/OS® UNIX ipsec command.
- instance
- The rule name extension.
- sipaddr / sip_prefix_length
- The source IP address specification for the defensive filter rule.
The value 0.0.0.0/0 indicates that the defensive filter rule applies
to all source IPv4 addresses. The value ::/0 indicates that the defensive
filter rule applies to all source IPv6 addresses.
- dipaddr / dip_prefix_length
- The destination IP address specification for the defensive filter
rule. The value 0.0.0.0/0 indicates that the defensive filter rule
applies to all destination IPv4 addresses. The value ::/0 indicates
that the defensive filter rule applies to all destination IPv6 addresses.
- proto
- The protocol specification for the defensive filter rule. Possible
values are:
- ICMP(1)
- IGMP(2)
- IP(4)
- TCP(6)
- UDP(17)
- ESP(50)
- AH(51)
- ICMPv6(58)
- OSPF(89)
- IPIP(94)
- MIPv6(135)
- The protocol number
- ALL
- tag1
- The tag1 value varies depending on the proto value.
If
the proto value is ICMP or ICMPv6, the tag1 value
is type= followed by the ICMP or ICMPv6 type, or followed by the value
all.
If the proto value is TCP or UDP, the tag1 value
is sport= followed by the source port range. For example, sport= 1024
- 65535. For a defensive filter that applies to all source ports the tag1 value
is sport= 1 - 65535.
If the proto value is
any value not previously mentioned, the tag1 value
is -= which indicates that the data is not applicable.
- tag2
- The tag2 value varies depending on the protocol.
If
the proto value is ICMP or ICMPv6, the tag2 value
is code= followed by the ICMP or ICMPv6 code, or followed by the value
all.
If the proto value is TCP or UDP, the tag2 value
is dport= followed by the destination port range. For example, dport=
21 - 21. For a defensive filter that applies to all destination ports,
the tag2 value is dport= 1 - 65535.
If the proto value
is any value not previously mentioned, the tag2 value
is -= which indicates that the data is not applicable.
- fragments_only
- The fragment specification for the defensive filter rule. Possible
values are:
- yes - The defensive filter rule applies only to fragments.
- no - The defensive filter rule does not apply only to fragments.
- dir
- The direction specified for the defensive filter rule. Possible
values are inbound and outbound.
- routing
- The routing specified for the defensive filter rule. Possible
values are local, routed, and either.
- count
- The number of "packet denied" messages (EZD1721I) for
the defensive filter that were suppressed during the preceding five
minutes.
System action
TCP/IP processing continues.
Operator response
System programmer response
User response
Problem determination
Source
z/OS Communications
Server TCP/IP: TRMD
Module
Routing code
Descriptor code
Automation
Not applicable for automation.
Example
EZD0837I Defensive filter packet denied messages limited: 11/28/2011 16:35:55.42 filter_rule=
Block_10_UDP_301 filter_ext= 1 filter_sipaddr= 10.8.8.0 / 24 filter_dipaddr= 0.0.0.0 / 0
filter_proto= udp(17) sport= 301 - 301 dport= 1 - 65535 filter_fragmentsonly= no
filter_dir= inbound filter_routing= local suppressed_count= 125