Troubleshooting packet rules
This topic provides troubleshooting advice for some common packet rules problems.
- IBM® i communications trace capability enables you to see all datagram traffic for a specified interface. Use the Start Communications Trace (STRCMNTRC) and Print Communications Trace (PRTCMNTRC) commands to collect and print the information.
- NAT and IP filtering rule order determines how your rules
are processed. They are processed in the order which they appear in
the file. If the order is not correct, the packets will not be processed
as you intend. This leaves your system vulnerable to attack. Place
your filter set names in the FILTER_INTERFACE statement in the same
order in which the sets are physically defined in the file.
Remember the process shown in the following table.
Inbound traffic process Outbound traffic process 1. NAT rules 1. IP filter rules 2. IP filter rules 2. NAT rules
- Removing all rules is the best way to reset
your system and clear out errors. For IBM i, issue the Remove
TCP/IP Table (RMVTCPTBL) command. If you lock yourself out
of IBM Navigator
you can also use this command to go back and repair any rules. Note: The Remove TCP/IP Table command also starts the virtual private network (VPN) servers, only if the VPN servers (IKE and ConMgr) were running before.
- Allowing IP datagram forwarding in your TCP/IP configuration on the system is essential if you are using NAT. Use the Change TCP/IP Attributes (CHGTCPA) command to verify that the IP datagram forwarding is set to YES.
- Verifying default return routes ensures that
the address that you map to or hide behind is correct. This address
must be routable on the return route back to the system and pass through
the correct line to be untranslated by network address translation
(NAT). Note: If your IBM i platform has more than one network or line connected to it, you need to be especially careful about routing inbound traffic. Inbound traffic is handled on any line that it comes in on, which might not be the correct line waiting to untranslate it.
- Viewing error and warning messages in the
EXPANDED.OUTfile is required to ensure that the rules are ordered as you intend. When you verify and activate a set of filters, these filters are merged with any IBM Navigator for i-generated rules. The combination produces the merged rules in a new file called
EXPANDED.OUT, which is placed in the same directory that contains your rules (typically /QIBM/UserData/OS400/TCPIP/PacketRules). Warning and error messages refer to this file. To view this file, complete the following steps to open it from the Packet Rules Editor:
- Access the Packet Rules Editor in IBM Navigator for i.
- From the File menu, select Open.
- Go to the directory
/QIBM/UserData/OS400/TCPIP/PacketRules/, or to the directory where you have saved your packet rules if it is different than the default.
- From the Open File window, select EXPANDED.OUT file. The
EXPANDED.OUTfile should appear.
- Select the
EXPANDED.OUTfile and click Open.
The EXPANDED.OUT file is for your information only. You cannot edit it.