Firewall Navigation

Firewall navigation enables controlled access to an IBM® Connect:Direct® system running behind a packet-filtering firewall without compromising your security policies or those of your trading partners. You control this access by assigning a specific TCP source port number or a range of source port numbers with a specific destination address (or addresses) for IBM Connect:Direct sessions.

Before you configure source ports in the IBM Connect:Direct initialization parameters, you need to review all information regarding firewall navigation and rules, especially if you are implementing firewalls.

Implement Firewall Navigation

To implement firewall navigation in IBM Connect:Direct:

Procedure

  1. Coordinate IP address and associated source port assignment with your local firewall administrator before updating the firewall navigation record in the initialization parameters file.
  2. Add the following parameters to the IBM Connect:Direct initialization parameters file as needed, based on whether you are using TCP:
    • tcp.src.ports
    • tcp.src.ports.list.iterations
    • udp.src.ports
    • udp.src.ports.list.iterations
  3. Coordinate the specified port numbers with the firewall administrator at the remote site.

Firewall Rules

Firewall rules need to be created on the local firewall to allow the local IBM Connect:Direct node to communicate with the remote IBM Connect:Direct node. A typical packet-filtering firewall rule specifies that the local firewall is open in one direction (inbound or outbound) to packets from a particular protocol with particular local addresses, local ports, remote addresses, and remote ports. Firewall Navigation differs between TCP; as a result, firewall rules for TCP should be configured differently.

TCP Firewall Navigation Rules

In the following table, the TCP rules are presented in two sections: the first section applies to rules that are required when the local node is acting as a PNODE; the second section applies to rules that are required when the local node is acting as an SNODE. A typical node acts as a PNODE on some occasions and an SNODE on other occasions; therefore, its firewall will require both sets of rules.

TCP PNODE Rules
Rule Name Rule Direction Local Ports Remote Ports
PNODE session Outbound Local C:D's source ports Remote C:D's listening port
TCP SNODE Rules
Rule Name Rule Direction Local Ports Remote Ports
SNODE session Inbound Local C:D's listening port Remote C:D's source ports

TCP Firewall Configuration Example

The IBM Connect:Direct administrator configures the local node to listen on port 2264, and the following initialization parameter settings are used to configure the local node's source ports:

  • tcp.src.ports = (333.333.333.333, 2000–2200)
  • tcp.src.ports.list.iterations = 1

This configuration specifies to use a source port in the range 2000–2200 when communicating with the remote node's address 333.333.333.333 and to search the port range one time for an available port. The local node will act as both a PNODE and an SNODE when communicating with the remote node.

Based on this scenario, the firewall rules for the local node are the following:

Rule Name Rule Direction Local Ports Remote Ports
PNODE session request Outbound 2000–2200 3364
SNODE session Inbound 2264 3000–3300