gtpc1m2t | Transmission Control Protocol/Internet Protocol |
The concept behind packet filtering is to examine each packet for an approved source and destination (that is, application). Packet filtering can be done in routers, but there are known ways to bypass packet filtering in routers by using fragmentation. The most secure implementation is to implement distributed packet filtering in both routers and hosts.
TCP/IP packet filtering firewall support allows you to define rules to filter inbound packets destined for TPF applications. The packets are filtered based on the source Internet Protocol (IP) address of the packet, the destination port of the packet, the protocol of the packet, and the action to take if the packet fits the rule.
The packet filtering rules are defined in a file called /etc/iprules.txt. To set up or modify the packet filtering rules, do the following:
You can display the packet filtering rules that are defined in the TPF system by entering ZFILT DISPLAY. The display shows what rules are defined, as well as the number of packets that have applied to that rule. See TPF Operations for information about the ZFILE and ZFILT commands.
Each line of the /etc/iprules.txt file can have a maximum
of 300 characters and has the following syntax:
|
Notes:
If you do not specify the FROM parameter, the rule applies to all IP addresses.
The last line of the /etc/iprules.txt file can be the
default rule for the TPF system. The default rule is applied if no
other rules apply to the packet. The default rule has the following
syntax:
|
If you do not code a default rule, the default action is set to ALLOW.
You can define a maximum of 120 rules in the /etc/iprules.txt file. Code the rules that are most likely to be used at the start of the file. Keep the following in mind as you define the packet filtering rules for your TPF system:
The order of the rules in the /etc/iprules.txt file is very important. Consider the following example:
ACTION-ALLOW PORT-1414 ACTION-REJECT FROM-9.117.249.0/24
In this example, all packets from network 9.117.249.0 will be rejected except those whose destination is port 1414. If the rules are reversed, all packets from network 9.117.249.0 will be rejected, including those whose destination is port 1414.
To reduce packet filtering overhead, most TCP messages bypass packet filtering. Input messages received for existing TCP connections bypass packet filtering because the remote user has already been approved by packet filtering code when the connection was established. If a TCP input message other than a new connection request (that is, if it is not a SYN message) is received and the connection does not exist, packet filtering rules will be examined to determine if the packet should be rejected or discarded.
For non-TCP traffic, the more rules that you define, the more overhead there will be for packet filtering processing. The packet filtering rules are scanned for every UDP or RAW input packet.
The following are various examples of packet filtering rules.
ACTION-REJECT FROM-9.117.249.0/24 PORT-21
ACTION-ALLOW FROM-9.117.249.23/32 PORT-5600 PROTO-UDP
ACTION-DENY FROM-9.121.0.0/16
ACTION-ALLOW FROM-9.117.249.0/24 PROTO-ICMP ICMPTYPE-8 ACTION-DENY PROTO-ICMP ICMPTYPE-8
ACTION-ALLOW PORT-1414 ACTION-ALLOW FROM-9.117.249.0/24 ACTION-DENY PROTOCOL-ICMP ICMPTYPE-8 DEFAULT-REJECT
You can use the IP trace facility to identify packets that violate the packet filtering rules. If an exception condition is associated with a packet, a reason code is added to the entry in the IP trace table. You can use the IP trace facility to search for packets with specific reason codes. Consider the following example.
Assume you entered ZFILT DISPLAY and received the following:
+--------------------------------------------------------------------------------+ |FILT0001I 11.05.14 DISPLAY PACKET FILTERING RULES | | | | RULE ACTION REMOTE NETWORK PORT PROTO ICMPTYPE PACKETS | | ---- ------ ------------------ ----- ----- -------- ---------- | | 1 REJECT 9.117.249.0/24 224 | | 2 ALLOW 21 TCP 5087 | | 3 ALLOW ICMP 87 | | 4 ALLOW 520 21 | | DEF DENY 14 | | | |END OF DISPLAY+ | +--------------------------------------------------------------------------------+
This display indicates that a number of packets from network 9.117.249.0 have been passed to the TPF system and rejected. You can use the offline IP trace facility to determine the IP addresses of the remote nodes that violated this rule and the TPF applications that the nodes were attempting to reach.
To find all the sent packets that have been rejected by the firewall, code an RC value of 01 on the PARM parameter of the IPTPRT JCL. For example:
PARM="RC 01"
The statement specifies that all packets with a reason code of REJECTED BY FIREWALL will be included in the IPTPRT report.
Figure 21 shows an example of the resulting IPTPRT report:
Figure 21. IPTPRT Report Example
************************************************************************ TRANSACTION PROCESSING FACILITY TCP/IP TRACE OUTPUT ************************************************************************ RECORDS MATCHING THE FOLLOWING SELECTION CRITERIA WILL BE PRINTED: PROTOCOLS: . . . . . . . . ALL SOURCE PORTS: . . . . . . ALL DESTINATION PORTS: . . . . ALL SOURCE IP ADDRESSES: . . . ALL DESTINATION IP ADDRESSES: ALL REASON CODES: . . . . . . 01 IP CCW: . . . . . . . . . ALL DATE: . . . . . . . . . . FROM JAN01 TO DEC31 TIME: . . . . . . . . . . FROM 00:00:00 TO 23:59:59 TOD (FIRST WORD): . . . . FROM 00000000 TO FFFFFFFF TCP FLAGS: . . . . . . . . ALL WIDE LAYOUT IP FORMATTED TRACE RWI-02 IPCCW-D1 SOURCE IP-9.117.249.52 DEST IP-9.117.241.12 LEN-48 TOD-B6FA5951E20BF04E PROTOCOL-06 (TCP) SOURCE PORT-1029 DEST PORT-1414 SEQ-2491461275 WINDOW-65535 URGENT OFFSET-0 TCP FLAG BYTE-02 (SYN) REASON CODE - REJECTED BY FIREWALL IP HEADER 45000030 A70E0000 3906DD8E 0975F934 0975F10C TCP HEADER 04050586 9480AE9B 00000000 7002FFFF 30FD0000 02040F00 01030304 RWI-01 IPCCW-D1 SOURCE IP-9.117.241.12 DEST IP-9.117.249.52 LEN-40 TOD-B6FA5951E6AC964F PROTOCOL-06 (TCP) SOURCE PORT-1414 DEST PORT-1029 SEQ-0 ACK-2802712577 WINDOW-0 URGENT OFFSET-0 TCP FLAG BYTE-14 (ACK, RST) REASON CODE - REJECTED BY FIREWALL IP HEADER 45000028 4B780000 3C06362D 0975F10C 0975F934 TCP HEADER 05860405 00000000 A70E0001 50140000 020B0000 RWI-02 IPCCW-D1 SOURCE IP-9.117.249.52 DEST IP-9.117.241.12 LEN-48 TOD-B6FA595AC1082B43 PROTOCOL-06 (TCP) SOURCE PORT-1030 DEST PORT-1414 SEQ-2511008644 WINDOW-65535 URGENT OFFSET-0 TCP FLAG BYTE-02 (SYN) REASON CODE - REJECTED BY FIREWALL IP HEADER 45000030 A70F0000 3906DD8D 0975F934 0975F10C TCP HEADER 04060586 95AAF384 00000000 7002FFFF EAE80000 02040F00 01030304 RWI-01 IPCCW-D1 SOURCE IP-9.117.241.12 DEST IP-9.117.249.52 LEN-40 TOD-B6FA595AC489E66C PROTOCOL-06 (TCP) SOURCE PORT-1414 DEST PORT-1030 SEQ-0 ACK-2802778113 WINDOW-0 URGENT OFFSET-0 TCP FLAG BYTE-14 (ACK, RST) REASON CODE - REJECTED BY FIREWALL IP HEADER 45000028 4B7A0000 3C06362B 0975F10C 0975F934 TCP HEADER 05860406 00000000 A70F0001 50140000 02090000 : : |
This report shows that the intruding IP address is 9.117.249.52, and that it is destined for the TPF server application with port 1414. With this information, you can take any appropriate action to resolve the problem.
See Appendix F, Using the Internet Protocol Trace Facility for more information about the IP trace facility and for a complete description of the reason code values that you can specify.