IP filtering
The NSS server communicates with NSS clients using the TCP protocol. The NSS server binds to all stacks using either INADDR_ANY or in6addr_any as the IP address. IP filters rules must be defined for any IP security stacks that contain an interface to which the NSS client will connect (for details about configuring the IKE daemon as an NSS client, see IP security). Remote IPSec clients use an ephemeral port when connecting to the NSS server. Ephemeral ports are generally in the range 1024–65355.
Two types of IP filter policy can be defined for a z/OS® stack:
- You can define a default IP filter policy in the TCP/IP profile.
Updating default IP filter policy to permit communications between
the NSS server and NSS clients is optional. Default IP filter policy
is in effect only when IP security filter policy cannot be loaded
or when the ipsec -f default command has been issued.
For details about defining default IP filter policy in the TCP/IP profile, see z/OS Communications Server: IP Configuration Reference.
The following default policy contains IPSECRule definitions that allow IPv4 and IPv6 NSS server traffic with NSS clients:
IPSEC LOGENable ; Rule SrcAddr DstAddr Logging Protocol SrcPort DestPort Routing Secclass ; OSPF protocol used by Omproute IPSECRule * * NOLOG PROTO OSPF ; IGMP protocol used by Omproute IPSECRule * * NOLOG PROTO 2 ; DNS queries to UDP port 53 IPSECRule * * NOLOG PROTO UDP SRCPort * DESTport 53 ; Administrative access IPSECRule * 9.1.1.2 LOG SECCLASS 100 ; Network security services (NSS) server access to the NSS client IPSECRule * * LOG TCP SRCPort 4159 DESTport * ; Network security services (NSS) server access to the NSS client IPSEC6Rule * * LOG TCP SRCPort 4159 DESTport * ENDIPSEC
Rule: The SRCport value in the filter rules must include the value specified on the port parameter of the NssConfig statement in the NSS server configuration file. - You can define an IP security filter policy in Policy Agent configuration
files. IP security filter policy must be updated to permit communications
between the NSS server and NSS clients.
For details about defining IP security policy files, see the Policy Agent and policy applications topic in z/OS Communications Server: IP Configuration Reference.
An example of an IpFilterRule statement for IPv4, an IpFilterRule statement for IPv6, and an IpGenericFilterAction statement that allows NSS clients to communicate with the NSS server is as follows:
IpFilterRule NssTrafficIPv4 { IpSourceAddr all4 IpDestAddrSet all4 IpService { SourcePortRange 4159 DestinationPortRange 1024 65535 Protocol tcp Direction bidirectional InboundConnect Routing local } IpGenericFilterActionRef permit-nolog } IpFilterRule NssTrafficIPv6 { IpSourceAddr all6 IpDestAddrSet all6 IpService { SourcePortRange 4159 DestinationPortRange 1024 65535 Protocol tcp Direction bidirectional InboundConnect Routing local } IpGenericFilterActionRef permit-nolog } IpGenericFilterAction permit-nolog { IpFilterAction permit IpFilterLogging no }
Rule: The DestinationPortRange value on the IpService statements must include the value specified on the port parameter of the NssConfig statement in the NSS server configuration file.