Verifying filter action
To quickly determine which filter rule applies to a specific type of traffic, use the ipsec traffic test command (ipsec -t). This command returns all of the rules in the current filter table that match the given traffic type.
For example, to test which filter rule matches an incoming FTP connection request from remote IP address 9.1.1.2 to local IP address 9.1.1.1, issue the following command. The input values represent the remote address, local address, protocol, remote port, local port, direction, and security class of the packet.:
ipsec -t 9.1.1.2 9.1.1.1 tcp 0 21 in 0
CS V2R1 ipsec Stack Name: TCPCS Tue Feb 14 11:59:45 2012
Primary: IP Traffic Test Function: Display Format: Detail
Source: Stack Policy Scope: n/a TotAvail: 5
TestData: 9.1.1.2 9.1.1.1 tcp 0 21 in 0
Defensive Mode: Inactive
FilterName: Rule2Admin
FilterNameExtension: 2
GroupName: Admin
LocalStartActionName: n/a
VpnActionName: Silver-TransportMode
TunnelID: Y4
Type: Dynamic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: No
SecurityClass: 0
Logging: Deny
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 9.1.1.2
SourceAddressPrefix: n/a
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 9.1.1.1
DestAddressPrefix: n/a
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: n/a
UpdateTime: n/a
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 1
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: Rule2Admin
FilterNameExtension: 2
GroupName: Admin
LocalStartActionName: n/a
VpnActionName: Silver-TransportMode
TunnelID: Y0
Type: Dynamic Anchor
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: No
SecurityClass: 0
Logging: Deny
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: Rule
SourceAddress: 9.1.1.2
SourceAddressPrefix: n/a
SourceAddressRange: n/a
SourceAddressGranularity: Packet
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 9.1.1.1
DestAddressPrefix: n/a
DestAddressRange: n/a
DestAddressGranularity: Packet
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 10:49:48
UpdateTime: 2012/02/14 11:07:20
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 1
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: Rule1All-IPv4-Permit
FilterNameExtension: 6
GroupName: ZoneAll
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: TCP(6)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: Connect Outbound
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: 53
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: All
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 10:49:48
UpdateTime: 2012/02/14 10:49:48
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: Rule2All-IPv4-Deny
FilterNameExtension: 2
GroupName: ZoneAll
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: All
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 10:49:48
UpdateTime: 2012/02/14 10:49:48
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 40
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: DenyAllRule_Generated___________Inbnd
FilterNameExtension: n/a
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 10:36:09
UpdateTime: 2012/02/14 10:49:48
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
5 entries selectedAn incoming FTP connection request matches all of the rules shown in the example. The first rule that is returned does not always match a specific packet, depending on how much detail you provide as the input to the ipsec -t command. However, the Rule2Admin rule is the best match in this case, so the search for a matching filter ends there. The matching rule in this case is an ipsec rule, as indicated by the designation Dynamic Anchor. Therefore, IPSec processing is applied to this packet.
Tip: When using the ipsec -t command,
provide as much detailed input as possible. The more detailed the
input to the command, the more narrow the results of the search will
be.
For detailed information about the use of the ipsec command, see z/OS Communications Server: IP System Administrator's Commands.