PORT Statement

Operands

ipv4_address

The home IPv4 address associated with the port to be reserved. If this operand is omitted, the port is reserved for the specified userid regardless of the home address associated with a connection. Otherwise, the port is reserved for the userid only for connections associated with the specified home IPv4 address. When a userid (such as SMTP or FTPSERVE) attempts to bind to the IPv4 INADDR ANY address, the bind is intercepted by the TCP/IP stack and converted ot a bind to the IPv4 address that was specified on the PORT statement for that userid. Subsequent bind processing occurs as though the userid had originally issued the bind to the IPv4 address.

ipv6_address

The home IPv6 address associated with the port to be reserved. If this operand is omitted, the port is reserved for the specified userid regardless of the home address associated with a connection. Otherwise, the port is reserved for the userid only for connections associated with the specified home IPv6 address. When a userid attempts to bind to the IPv6 unspecified address (in6addr_any), the bind is intercepted by the TCP/IP stack and converted to a bind to the IPv6 address that was specified on the PORT statement for that userid. Subsequent bind processing occurs as though the userid had originally issued the bind to the IPv6 address.

The IPv6 address can be specified in either the preferred or compressed form.

Example:

Preferred form:

1080:0:0:0:8:800:200C:417A

Compressed form:

1080::8:800:200C:417A

port_number

The port number to be reserved.

If you specify an asterisk (*) instead of a port number, all ports to which user_id is permitted to bind are treated as secure. However, no connections can be made from user_id when this is done. If you specify an IP address, you cannot use an asterisk (*).

port_range

The range of port numbers to be reserved.

Specify two numbers separated by a single hyphen (-) and no blank spaces in the format, x-y, where x is lower than y.

TCP

UDP

The protocol that will be used on the reserved port.

user_id

INTCLIEN

*

The virtual machine that may use this port-protocol combination.

The special value INTCLIEN assigns the port to the internal Telnet server rather than to a client virtual machine.

Specifying an asterisk (*) permits port sharing by all users.

A port is shared when more than one user can be bound to the port concurrently. Port sharing requires permission, which you grant by reserving the port exclusively for either of the following:

• A set of named users. To permit a set of named users to a port, specify the port number more than once with a different user ID each time.
• ALL users. To permit all users, specify an asterisk (*) instead of a user ID. An asterisk instead of a virtual machine user ID specifies explicit port sharing. The designated port(s) are left open for anyone to use.

RESERVED

No connection may be established with the specified port(s). This keyword cannot be used with a specific user ID (user_id) or with an *, which implies explicit port sharing.

NOAUTOLOG

Indicates that TCP/IP is not to restart user_id if the user stops listening to this port. Use NOAUTOLOG when the user is in the AUTOLOG list and server availability is to be under manual control. Please note that NOAUTOLOG will not prevent a restart of the client stemming from circumstances beyond the termination of the listening connection.

NOSECURE

Indicates that the port is not to be considered secure. This is the default.

SECURE

Indicates the port is secure and that any connections accepted for it will be handled according to the Secure Sockets Layer (SSL) protocol.

label

The label of the server certificate that resides in the SSL key database that is to be used in securing the subject port.

Note: The specified label can be no more than eight characters, and must be comprised of only upper case, alphanumeric characters.

CLIENTCERTCHECK NONE

A client certificate will not be requested.

CLIENTCERTCHECK PREFERRED

A client certificate will be requested. If a client certificate is not received, the connection will proceed without it. If a client certificate is received, it will be authenticated. If the certificate is not valid, the failure will be logged in the SSL server console log and the connection will continue as a secure connection protected by the server certificate.

CLIENTCERTCHECK REQUIRED

A client certificate will be requested and authenticated. If a client certificate is not received, the connection will be terminated with a fatal TLS error. If the certificate fails authentication, the handshake will fail.

Usage Notes

• RESTRICTLOWPORTS on the ASSORTEDPARMS statement is the default. Ports 1 through 1023 are protected unless the FREELOWPORTS is specified on the ASSORTEDPARMS statement. FREELOWPORTS opens all ports for access unless otherwise specified in the PORT statement.

  With RESTRICTLOWPORTS, all TCP/IP applications which listen on ports 1 through 1023 must be given permission to do so. Permission is granted in one of three ways:

  1. Use the PORT statement to reserve the port for the application (virtual machine), which is the preferred method. Note you can also reserve ports using port number ranges.
  2. Modify the OBEY statement such that affected application virtual machine is included in the TCP/IP obey list.
  3. Add FREELOWPORTS to the ASSORTEDPARMS statement. This option removes default low port protections.
• A user who is assigned a port is considered to be in the PERMIT list.
• Users in the OBEY list may access any port EXCEPT those ports specified as Reserved.
• Any user may access a port which is explicitly shared via the * operand, regardless of the RESTRICTLOWPORTS setting.
• The PORT statement may appear more than once. If a syntax error is found in a PORT statement, the remainder of the statement is ignored. Multiple PORT statements previously defined or in the same profile or OBEYFILE, add to the previous port reservations. If multiple statements refer to the same port, the last statement is held to be true if the port is not reserved.

  Example: Given the FREELOWPORTS setting and the following PORT statement:

  PORT
    80 TCP HTTPD1
    80 UDP HTTPD1
    80 TCP HTTPD2
    80 UDP HTTPD2
    1-1023 TCP RESERVED NOAUTOLOG
    1-1023 UDP RESERVED NOAUTOLOG
    23 TCP INTCLIEN
    ...

  Ports 1-1023 are reserved, except for port 23, which is under the control of INTCLIEN.
• To remove the reservation for a port, the PORT statement must be deleted from the configuration file and TCP/IP must be restarted.
• The PORT statement for the internal Telnet server must specify the TCP protocol and user INTCLIEN. The port number must match the value(s) specified on the INTERNALCLIENTPARMS statement. Using the defaults, the PORT statement for the Telnet server would be

      PORT
          23 TCP INTCLIEN

  The Telnet server automatically starts if a TCP port is reserved for INTCLIEN. To disable the Telnet server, omit or comment out this PORT statement.

• The NOAUTOLOG operand is ignored if an asterisk (*) is specified for the port number.
• If you are using a secure FTP client, you must specify an asterisk (*) for the port number. This allows any port that the client uses for the data connection to be treated as a secure port. The FTP client must use passive mode.
• If a user is no longer being autologged because MAXRESTART attempts to restart the user have been made, you can turn the autologging of the user back on by dynamically specifying the user's PORT statement without the NOAUTOLOG operand. For more information see MAXRESTART Statement.
• Resetting the MAXRESTART counter for an individual user (via NETSTAT OBEY PORT nn TCP userid) does not affect the MAXRESTART counter of the other users, and user who share the same port number.

More Information

• ASSORTEDPARMS Statement
• AUTOLOG Statement
• INTERNALCLIENTPARMS Statement
• PERMIT Statement