About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Question & Answer
Question
What is IP filtering?
Answer
IP filters are rules defined to either discard or permit packets. In other words, the set of properties that identify a packet, together with the action to be performed on it, is known as an IP filter rule. The rule can be used to filter out unwanted packets from the network stream, while allowing others.
IP filtering matches a filter rule to data traffic based on any combination of IP source or destination address (or masked address), protocol, source or destination port, direction of flow, or time.
IPSec services include IP filtering. The Internet Key Exchange (IKE) daemon works with the TCP/IP stack to provide IPSec support for IP filtering.
An IP filter table is an ordered list of all IP filter rules. When IP filtering is active on a host, the table is consulted for each IP packet that is sent or received. The action of the matching IP filter rule is enforced by the TCP/IP stack.
IP filter rules are configured using the IpFilterRule statement in an IP security policy configuration file.
Normally the rules would deny anything not explicitly permitted, a configuration known as a default-deny policy, in which rules are added as necessary to allow only crucial network traffic. In a default-deny environment, the absence of any IP filter rules essentially isolates the system from the network.
Rule: A z/OS Communications Server TCP/IP stack that is configured for IP security follows a default-deny policy by default, in the absence of any configured filter rules.
When a packet matches one of the rules in the IP filter table, the policy determines what action is taken for that packet. IP filter actions are configured using the IpGenericFilterAction statement in an IP security policy configuration file.
On a z/OS stack that has IPCONFIG IPSECURITY configured (and perhaps also has IPCONFIG6 IPSECURITY configured) and an active IP security policy, there are three possible actions:
Deny the packet.
Permit the packet.
Permit the packet with IPSec protection
IP packets match IP filters based on a number of selection criteria. There are five primary pieces of information that are gathered from the IP packet, commonly referred to as a 5-tuple:
Source address An IP packet can be filtered based on the source address located in the IP header of the packet.
Destination address: An IP packet can be filtered based on the destination address located in the IP header of the packet. For IPv6 packets that contain a type 0 or type 2 routing header, the stack performs IP filtering using the final destination address of the packet based on the routing header contents, not on the destination address in the IP header.
Protocol: An IP packet can be filtered based on the protocol in the IP header of the packet.
Source port: If the protocol in an IP packet is TCP or UDP, the packet can be filtered based on the source port in the TCP/UDP header of the data portion of the packet.
Destination port: If the protocol in an IP packet is TCP or UDP, the packet can be filtered based on the destination port in the TCP/UDP header of the data portion of the packet.
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]
Product Synonym
ZOSCS COMMSERVER
Was this topic helpful?
Document Information
Modified date:
20 October 2017
UID
dwa1408248