This is really outside my area of competence, but I can give some examples of
our filters. Create a member with this format:
IPSEC
; This is a comment
IPSECR * * NOLOG PROTO ICMP
IPSECR 192.168.158.0/24 192.168.158.0/24 NOLOG PROTO *
;CLIENTS TO CONNECT TO TN3270
IPSECR * * NOLOG PROTO TCP SRCPORT 23 DESTPORT *
;ALLOW CONNECTIONS BETWEEN DR MAINFRAME SYSX0
IPSECR * 192.212.39.0/27 NOLOG PROTO *
ENDIPSEC
AFAIK the filters are bidirectional. I see nothing indicating gazinta or
gazouta. All filtering can be turned off with a member like this:
IPSEC
IPSECR * * NOLOG PROTO *
ENDIPSEC
Turning filters on or off works like this:
v tcpip,,obey,sys1.xxxtcp.filters(none) <-- off
v tcpip,,obey,sys1.xxxtcp.filters(ipfltx) <-- on (default at IPL)
.
.
.
J.O.Skip Robinson
Southern California Edison Company
Electric Dragon Team Paddler
SHARE MVS Program Co-Manager
323-715-0595 Mobile
626-302-7535 Office
[email protected]
-----Original Message-----
From: IBM Mainframe Discussion List [mailto:[email protected]] On Behalf
Of Roberto Halais
Sent: Monday, April 11, 2016 12:40 PM
To: [email protected]
Subject: (External):Re: TCPIP "firewall"
I think you can specify INBOUND/OUTBOUND or both.
On Mon, Apr 11, 2016 at 3:37 PM, Jousma, David <[email protected]> wrote:
> Can it be used for just the opposite? I.e. the DR world from leaking into
> production? This has been an ongoing discussion for us over the years.
> We have to disable "stuff" like MQ connections, FTP, Connect Direct,
> etc
>
> _________________________________________________________________
> Dave Jousma
> Assistant Vice President, Mainframe Engineering [email protected]
> 1830 East Paris, Grand Rapids, MI 49546 MD RSCB2H p 616.653.8429 f
> 616.653.2717
>
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:[email protected]]
> On Behalf Of Jesse 1 Robinson
> Sent: Monday, April 11, 2016 3:33 PM
> To: [email protected]
> Subject: Re: TCPIP "firewall"
>
> We use IP filtering for DR tests where we need to keep the production
> world from leaking into the DR world. It works quite well and can be
> pretty specific. It is strictly a mainframe function.
>
> .
> .
> .
> J.O.Skip Robinson
> Southern California Edison Company
> Electric Dragon Team Paddler
> SHARE MVS Program Co-Manager
> 323-715-0595 Mobile
> 626-302-7535 Office
> [email protected]
>
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:[email protected]]
> On Behalf Of Burrell, C. Todd (CDC/OCOO/OCIO/ITSO) (CTR)
> Sent: Monday, April 11, 2016 11:58 AM
> To: [email protected]
> Subject: (External):Re: TCPIP "firewall"
>
> I think if you use the IP filtering section in this book you should be
> able to accomplish this:
>
> http://www.redbooks.ibm.com/redbooks/pdfs/sg247699.pdf
>
> But I would tread carefully - this looks like it could cause more
> damage than the good that it does.
>
> -----Original Message-----
> From: IBM Mainframe Discussion List [mailto:[email protected]]
> On Behalf Of R.S.
> Sent: Monday, April 11, 2016 2:47 PM
> To: [email protected]
> Subject: TCPIP "firewall"
>
> I need to block connections coming from given IP address or whole
> subnetwork. It can be limited to one TCP port.
>
> For example, my z/OS has address 10.1.1.1/24 workstation I want to
> deny has address 10.3.1.1/24 (another subnet) I want the workstation
> cannot connect to 10.1.1.1 port 3000. Or cannot connect at all.
> As an option I want block any workstation from 10.3.1.nn network.
>
> Answering obvious question: No, I cannot do it on the network router,
> because I don't manage network. I can manage my /zOS configuration.
> Not to mention responsiveness.
>
> Any clue?
>
> --
> Radoslaw Skorupka
> Lodz, Poland
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [email protected] with the message: INFO IBM-MAIN
