Firewall Navigation
Firewall navigation enables controlled access to an IBM® Connect:Direct® system running behind a packet-filtering firewall without compromising your security policies or those of your trading partners. You control this access by assigning a specific TCP source port number or a range of source port numbers with a specific destination address (or addresses) for IBM Connect:Direct sessions.
Before you configure source ports in the IBM Connect:Direct initialization parameters, you need to review all information regarding firewall navigation and rules, especially if you are implementing firewalls.
Implement Firewall Navigation
To implement firewall navigation in IBM Connect:Direct:
Procedure
Firewall Rules
Firewall rules need to be created on the local firewall to allow the local IBM Connect:Direct node to communicate with the remote IBM Connect:Direct node. A typical packet-filtering firewall rule specifies that the local firewall is open in one direction (inbound or outbound) to packets from a particular protocol with particular local addresses, local ports, remote addresses, and remote ports.
TCP Firewall Navigation Rules
In the following table, the TCP rules are presented in two sections: the first section applies to rules that are required when the local node is acting as a PNODE; the second section applies to rules that are required when the local node is acting as an SNODE. A typical node acts as a PNODE on some occasions and an SNODE on other occasions; therefore, its firewall will require both sets of rules.
TCP PNODE Rules | |||
---|---|---|---|
Rule Name | Rule Direction | Local Ports | Remote Ports |
PNODE session | Outbound | Local C:D's source ports | Remote C:D's listening port |
TCP SNODE Rules | |||
Rule Name | Rule Direction | Local Ports | Remote Ports |
SNODE session | Inbound | Local C:D's listening port | Remote C:D's source ports |
TCP Firewall Configuration Example
The IBM Connect:Direct administrator configures the local node to listen on port 2264, and the following initialization parameter settings are used to configure the local node's source ports:
- tcp.src.ports = (333.333.333.333, 2000–2200)
- tcp.src.ports.list.iterations = 1
This configuration specifies to use a source port in the range 2000–2200 when communicating with the remote node's address 333.333.333.333 and to search the port range one time for an available port. The local node will act as both a PNODE and an SNODE when communicating with the remote node.
Based on this scenario, the firewall rules for the local node are the following:
Rule Name | Rule Direction | Local Ports | Remote Ports |
---|---|---|---|
PNODE session request | Outbound | 2000–2200 | 3364 |
SNODE session | Inbound | 2264 | 3000–3300 |