Troubleshooting packet rules

This topic provides troubleshooting advice for some common packet rules problems.

  • IBM® i communications trace capability enables you to see all datagram traffic for a specified interface. Use the Start Communications Trace (STRCMNTRC) and Print Communications Trace (PRTCMNTRC) commands to collect and print the information.
  • NAT and IP filtering rule order determines how your rules are processed. They are processed in the order which they appear in the file. If the order is not correct, the packets will not be processed as you intend. This leaves your system vulnerable to attack. Place your filter set names in the FILTER_INTERFACE statement in the same order in which the sets are physically defined in the file.

    Remember the process shown in the following table.

    Inbound traffic process Outbound traffic process
    1. NAT rules 1. IP filter rules
    2. IP filter rules 2. NAT rules
  • Removing all rules is the best way to reset your system and clear out errors. For IBM i, issue the Remove TCP/IP Table (RMVTCPTBL) command. If you lock yourself out of IBM Navigator for i, you can also use this command to go back and repair any rules.
    Note: The Remove TCP/IP Table command also starts the virtual private network (VPN) servers, only if the VPN servers (IKE and ConMgr) were running before.
  • Allowing IP datagram forwarding in your TCP/IP configuration on the system is essential if you are using NAT. Use the Change TCP/IP Attributes (CHGTCPA) command to verify that the IP datagram forwarding is set to YES.
  • Verifying default return routes ensures that the address that you map to or hide behind is correct. This address must be routable on the return route back to the system and pass through the correct line to be untranslated by network address translation (NAT).
    Note: If your IBM i platform has more than one network or line connected to it, you need to be especially careful about routing inbound traffic. Inbound traffic is handled on any line that it comes in on, which might not be the correct line waiting to untranslate it.
  • Viewing error and warning messages in the EXPANDED.OUT file is required to ensure that the rules are ordered as you intend. When you verify and activate a set of filters, these filters are merged with any IBM Navigator for i-generated rules. The combination produces the merged rules in a new file called EXPANDED.OUT, which is placed in the same directory that contains your rules (typically /QIBM/UserData/OS400/TCPIP/PacketRules). Warning and error messages refer to this file. To view this file, complete the following steps to open it from the Packet Rules Editor:
    1. Access the Packet Rules Editor in IBM Navigator for i.
    2. From the File menu, select Open.
    3. Go to the directory /QIBM/UserData/OS400/TCPIP/PacketRules/, or to the directory where you have saved your packet rules if it is different than the default.
    4. From the Open File window, select EXPANDED.OUT file. The EXPANDED.OUT file should appear.
    5. Select the EXPANDED.OUT file and click Open.

    The EXPANDED.OUT file is for your information only. You cannot edit it.