gtpc1m2tTransmission Control Protocol/Internet Protocol

Packet Filtering

The concept behind packet filtering is to examine each packet for an approved source and destination (that is, application). Packet filtering can be done in routers, but there are known ways to bypass packet filtering in routers by using fragmentation. The most secure implementation is to implement distributed packet filtering in both routers and hosts.

TCP/IP packet filtering firewall support allows you to define rules to filter inbound packets destined for TPF applications. The packets are filtered based on the source Internet Protocol (IP) address of the packet, the destination port of the packet, the protocol of the packet, and the action to take if the packet fits the rule.

The packet filtering rules are defined in a file called /etc/iprules.txt. To set up or modify the packet filtering rules, do the following:

  1. Create or modify the /etc/iprules.txt file by doing one of the following:
    • Use the ZFILE commands to create or update the file directly on your TPF system.
    • Create or modify the file on another system and use Trivial File Transfer Protocol (TFTP) or File Transfer Protocol (FTP) to transfer the file to the basic subsystem (BSS) of your TPF system.
  2. From the BSS, enter ZFILT REFRESH to refresh the file and copy it to core storage. The rules take effect immediately after you enter this command.
    Note:
    Information from the packet filtering rules file is also read into core storage during system restart.

You can display the packet filtering rules that are defined in the TPF system by entering ZFILT DISPLAY. The display shows what rules are defined, as well as the number of packets that have applied to that rule. See TPF Operations for information about the ZFILE and ZFILT commands.

Packet Filtering Rules File Syntax

Each line of the /etc/iprules.txt file can have a maximum of 300 characters and has the following syntax:


Notes:

  1. You must specify at least one additional parameter (FROM, PROTO, or PORT) with the ACTION parameter.

ACTION
specifies the action to take if the packet matches the rule. Specify one of the following:

ALLOW
allows the packet to be processed by the TPF system.

DENY
discards the packet and takes no further action.

REJECT
discards the packet and responds to the remote client with a negative response. For TCP packets, the TPF system sends a reset (RST) message. For UDP or RAW packets, the TPF system sends an ICMP destination unreachable message.
Note:
Certain ICMP messages defined by the ICMP architecture are not allowed to be rejected. The TPF system discards these messages.

FROM-ipaddr/mask
specifies the IP network for the source of the packet, where:

ipaddr
is an IP address of the remote network in dotted decimal format.

mask
is a number, from 1 to 32, that represents the number of bits in ipaddr that represent the network portion of the address.

If you do not specify the FROM parameter, the rule applies to all IP addresses.

PROTO
specifies the protocol of the packet. Specify one of the following:

TCP
specifies the Transmission Control Protocol (TCP).

UDP
specifies the User Datagram Protocol (UDP).

ICMP
specifies the Internet Control Message Protocol (ICMP).

ALL
specifies all protocols.

PORT-portnum
specifies the destination port of the packet, which is the port of the TPF application, where portnum is a decimal port number from 1 to 65535. If you do not specify this parameter, the rule applies to all port numbers.

ICMPTYPE-type
specifies the type of ICMP message, where type is a decimal number from 1 to 255. For example, ICMPTYPE-8 is an echo request (or PING message).

#comment
is a comment associated with this entry. You can also code a comment on a separate input line. In general, blank lines and lines beginning with a # symbol are ignored.

Packet Filtering Default Rule

The last line of the /etc/iprules.txt file can be the default rule for the TPF system. The default rule is applied if no other rules apply to the packet. The default rule has the following syntax:


DEFAULT
specifies the action to take for any packets that do not match the other packet filtering rules. Specify one of the following:

ALLOW
allows the packet to be processed by the TPF system.

DENY
discards the packet and takes no further action.

REJECT
discards the packet and responds to the remote client with a negative response. For TCP packets, the TPF system sends a reset (RST) message. For UDP or RAW packets, the TPF system sends an ICMP destination unreachable message.
Note:
Certain ICMP messages defined by the ICMP architecture are not allowed to be rejected. The TPF system discards these messages.

If you do not code a default rule, the default action is set to ALLOW.

Considerations for Packet Filtering Rules

You can define a maximum of 120 rules in the /etc/iprules.txt file. Code the rules that are most likely to be used at the start of the file. Keep the following in mind as you define the packet filtering rules for your TPF system:

Order of Rules

The order of the rules in the /etc/iprules.txt file is very important. Consider the following example:

ACTION-ALLOW PORT-1414
ACTION-REJECT FROM-9.117.249.0/24

In this example, all packets from network 9.117.249.0 will be rejected except those whose destination is port 1414. If the rules are reversed, all packets from network 9.117.249.0 will be rejected, including those whose destination is port 1414.

Performance Considerations

To reduce packet filtering overhead, most TCP messages bypass packet filtering. Input messages received for existing TCP connections bypass packet filtering because the remote user has already been approved by packet filtering code when the connection was established. If a TCP input message other than a new connection request (that is, if it is not a SYN message) is received and the connection does not exist, packet filtering rules will be examined to determine if the packet should be rejected or discarded.

For non-TCP traffic, the more rules that you define, the more overhead there will be for packet filtering processing. The packet filtering rules are scanned for every UDP or RAW input packet.

Examples of Packet Filtering Rules

The following are various examples of packet filtering rules.

Problem Diagnosis

You can use the IP trace facility to identify packets that violate the packet filtering rules. If an exception condition is associated with a packet, a reason code is added to the entry in the IP trace table. You can use the IP trace facility to search for packets with specific reason codes. Consider the following example.

Assume you entered ZFILT DISPLAY and received the following:

+--------------------------------------------------------------------------------+
|FILT0001I 11.05.14 DISPLAY PACKET FILTERING RULES                               |
|                                                                                |
| RULE   ACTION     REMOTE NETWORK     PORT   PROTO  ICMPTYPE   PACKETS          |
| ----   ------   ------------------  -----   -----  -------- ----------         |
|    1   REJECT       9.117.249.0/24                                 224         |
|    2    ALLOW                          21     TCP                 5087         |
|    3    ALLOW                                ICMP                   87         |
|    4    ALLOW                         520                           21         |
|  DEF     DENY                                                       14         |
|                                                                                |
|END OF DISPLAY+                                                                 |
+--------------------------------------------------------------------------------+

This display indicates that a number of packets from network 9.117.249.0 have been passed to the TPF system and rejected. You can use the offline IP trace facility to determine the IP addresses of the remote nodes that violated this rule and the TPF applications that the nodes were attempting to reach.

To find all the sent packets that have been rejected by the firewall, code an RC value of 01 on the PARM parameter of the IPTPRT JCL. For example:

PARM="RC 01"

The statement specifies that all packets with a reason code of REJECTED BY FIREWALL will be included in the IPTPRT report.

Figure 21 shows an example of the resulting IPTPRT report:

Figure 21. IPTPRT Report Example


************************************************************************
            TRANSACTION  PROCESSING  FACILITY  TCP/IP  TRACE  OUTPUT
************************************************************************
RECORDS MATCHING THE FOLLOWING SELECTION CRITERIA WILL BE PRINTED:                                                                  
PROTOCOLS: . . . . . . . . ALL                                                                                                      
SOURCE PORTS:  . . . . . . ALL                                                                                                      
DESTINATION PORTS: . . . . ALL                                                                                                      
SOURCE IP ADDRESSES: . . . ALL                                                                                                      
DESTINATION IP ADDRESSES:  ALL                                                                                                      
REASON CODES:  . . . . . . 01                                                                                                       
IP CCW:  . . . . . . . . . ALL                                                                                                      
DATE:  . . . . . . . . . . FROM JAN01 TO DEC31                                                                                      
TIME:  . . . . . . . . . . FROM 00:00:00 TO 23:59:59                                                                                
TOD (FIRST WORD):  . . . . FROM 00000000 TO FFFFFFFF                                                                                
TCP FLAGS: . . . . . . . . ALL                                                                                                      
WIDE LAYOUT                                                                                                                         
IP FORMATTED TRACE                                                                                                                  
RWI-02  IPCCW-D1  SOURCE IP-9.117.249.52  DEST IP-9.117.241.12  LEN-48                                                              
  TOD-B6FA5951E20BF04E  PROTOCOL-06 (TCP)  SOURCE PORT-1029  DEST PORT-1414                                                         
  SEQ-2491461275  WINDOW-65535  URGENT OFFSET-0                                                                                     
  TCP FLAG BYTE-02 (SYN)                                                                                                            
  REASON CODE - REJECTED BY FIREWALL                                                                                                
  IP HEADER   45000030 A70E0000 3906DD8E 0975F934 0975F10C                                                                          
  TCP HEADER  04050586 9480AE9B 00000000 7002FFFF 30FD0000 02040F00 01030304                                                        
RWI-01  IPCCW-D1  SOURCE IP-9.117.241.12  DEST IP-9.117.249.52  LEN-40                                                              
  TOD-B6FA5951E6AC964F  PROTOCOL-06 (TCP)  SOURCE PORT-1414  DEST PORT-1029                                                         
  SEQ-0  ACK-2802712577  WINDOW-0  URGENT OFFSET-0                                                                                  
  TCP FLAG BYTE-14 (ACK, RST)                                                                                                       
  REASON CODE - REJECTED BY FIREWALL                                                                                                
  IP HEADER   45000028 4B780000 3C06362D 0975F10C 0975F934                                                                          
  TCP HEADER  05860405 00000000 A70E0001 50140000 020B0000                                                                          
RWI-02  IPCCW-D1  SOURCE IP-9.117.249.52  DEST IP-9.117.241.12  LEN-48                                                              
  TOD-B6FA595AC1082B43  PROTOCOL-06 (TCP)  SOURCE PORT-1030  DEST PORT-1414                                                         
  SEQ-2511008644  WINDOW-65535  URGENT OFFSET-0                                                                                     
  TCP FLAG BYTE-02 (SYN)                                                                                                            
  REASON CODE - REJECTED BY FIREWALL                                                                                                
  IP HEADER   45000030 A70F0000 3906DD8D 0975F934 0975F10C                                                                          
  TCP HEADER  04060586 95AAF384 00000000 7002FFFF EAE80000 02040F00 01030304                                                        
RWI-01  IPCCW-D1  SOURCE IP-9.117.241.12  DEST IP-9.117.249.52  LEN-40                                                              
  TOD-B6FA595AC489E66C  PROTOCOL-06 (TCP)  SOURCE PORT-1414  DEST PORT-1030                                                         
  SEQ-0  ACK-2802778113  WINDOW-0  URGENT OFFSET-0                                                                                  
  TCP FLAG BYTE-14 (ACK, RST)                                                                                                       
  REASON CODE - REJECTED BY FIREWALL                                                                                                
  IP HEADER   45000028 4B7A0000 3C06362B 0975F10C 0975F934                                                                          
  TCP HEADER  05860406 00000000 A70F0001 50140000 02090000
 
               :
               :

This report shows that the intruding IP address is 9.117.249.52, and that it is destined for the TPF server application with port 1414. With this information, you can take any appropriate action to resolve the problem.

See Appendix F, Using the Internet Protocol Trace Facility for more information about the IP trace facility and for a complete description of the reason code values that you can specify.

Note:
You can also use the ZIPTR or ZINIP command to display the IP trace information. See TPF Operations for more information about the ZIPTR and ZINIP commands and for examples of the displays.