IP packet filter firewall

Edit online

You can use an IP packet filter firewall to create a set of rules that either discards or accepts traffic over a network connection.

An IP packet filter firewall allows you to create a set of rules that either discard or accept traffic over a network connection. The firewall itself does not affect this traffic in any way. Because a packet filter can only discard traffic that is sent to it, the device with the packet filter must either perform IP routing or be the destination for the traffic.

A packet filter has a set of rules with accept or deny actions. When the packet filter receives a packet of information, the filter compares the packet to your pre-configured rule set. At the first match, the packet filter either accepts or denies the packet of information. Most packet filters have an implicit "deny all rule" at the bottom of the rules file.

Packet filters usually permit or deny network traffic based on:
  • Source and destination IP addresses
  • Protocol, such as TCP, UDP, or ICMP
  • Source and destination ports and ICMP types and codes
  • Flags in the TCP header, such as whether the packet is a connection request
  • Direction (inbound or outbound)
  • Which physical interface the packet is traversing

All packet filters have a common criterion: The trust is based on IP addresses. Although this security type is not sufficient for an entire network, this type of security is acceptable on a component level.

Most IP packet filters are stateless, which means they do not remember anything about the packets they previously processed. A packet filter with state can store some information about previous traffic, which gives you the ability to configure that only replies to requests from the internal network are allowed from the Internet. Stateless packet filters are vulnerable to spoofing because the source IP address and ACK bit in the packet's header can be easily forged.

In IBM® i, you can specify the packet filter rules on interfaces and remote access service profiles. If you are using either an external packet filter firewall or packet filter rules on the IBM i and your Universal Connection data passes through these filters, you must change the filter rules to allow the connection to the IBM VPN gateway as follows:

Table 1. IBM VPN gateway filter rules
IP filter rules IP filter values
UDP inbound traffic filter rule Allow port 4500 for VPN gateway address
UDP inbound traffic filter rule Allow port 500 for VPN gateway address
UDP outbound traffic filter rule Allow port 4500 for VPN gateway IP address
UDP outbound traffic filter rule Allow port 500 for VPN gateway IP address
ESP inbound traffic filter rule Allow ESP protocol (X'32') for VPN gateway IP address
ESP outbound traffic filter rule Allow ESP protocol (X'32') for VPN gateway IP address
For those Universal Connection applications that use HTTP and HTTPs for communication, you must change the filter rules to allow connections to the IBM service destinations as follows:
Table 2. HTTP and HTTPs filter rules
IP filter rules IP filter values
TCP inbound traffic filter rule Allow port 80 for all service destination addresses
TCP inbound traffic filter rule Allow port 443 for all service destination addresses
TCP outbound traffic filter rule Allow port 80 for all service destination addresses
TCP outbound traffic filter rule Allow port 443 for all service destination addresses

Changing the filter rules involves specifying the actual IBM VPN gateway address. The ports and services must be opened for the following IPs: Boulder: 207.25.252.196 and Rochester: 129.42.160.16.

In addition, for HTTP and HTTPs traffic, part of changing the filter rules might involve specifying actual service destination addresses.
Note: A list of service destination IP addresses and ports is contained in the file /QIBM/UserData/OS400/UniversalConnection/serviceProviderIBMLocationDefinition.txt. This file is generated after the first attempt to connect to an IBM service destination, for example, SNDSRVRQS *TEST file.