Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

There's inbound ports, and there's outbound ports.  Inbound ports generally stay active unless you end the service.  For example, ftp port 21 stays active unless I ENDTCPSVR SERVER(*FTP).

Outbound ports are a different animal and often can be quite random.  For example if I ftp FROM this IBM i to another server might go out on port 9393 (this time, as tested).

I know that firewall/switch personnel like to lock down specific IP addresses and ports.  Most of them understand ephemeral ports (like the port 9393 example above).  Careful, as they will sometime track a weeks worth of usage and base their decision off of that.  Which may cause issues when you only run certain stuff outside of that test period such as SNDPTFORD, SNDSRVRQS.  Then there's also the case if your IBM i supports multiple IP addresses, like for multiple web sites, domino servers, H/A software routing, etc and some IP clients don't support "bind specific".  For example, if I telnet from an lpar with multiple IP addresses which one am I coming from?

You can do a STRCMNTRC to capture some of this.  And it will even generate a pcap file, loved by many a network technician.  DMPCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) TOSTMF('/home/ROB/myfile.pcap') FORMAT(*PCAP)

I don't believe there are any ways to journal these through journals, qhst, etc.

See also:  https://www.ibm.com/docs/en/i/7.5?topic=is-communication-services

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

There's inbound ports, and there's outbound ports.  Inbound ports generally stay active unless you end the service.  For example, ftp port 21 stays active unless I ENDTCPSVR SERVER(*FTP).

Outbound ports are a different animal and often can be quite random.  For example if I ftp FROM this IBM i to another server might go out on port 9393 (this time, as tested).

I know that firewall/switch personnel like to lock down specific IP addresses and ports.  Most of them understand ephemeral ports (like the port 9393 example above).  Careful, as they will sometime track a weeks worth of usage and base their decision off of that.  Which may cause issues when you only run certain stuff outside of that test period such as SNDPTFORD, SNDSRVRQS.  Then there's also the case if your IBM i supports multiple IP addresses, like for multiple web sites, domino servers, H/A software routing, etc and some IP clients don't support "bind specific".  For example, if I telnet from an lpar with multiple IP addresses which one am I coming from?

You can do a STRCMNTRC to capture some of this.  And it will even generate a pcap file, loved by many a network technician.  DMPCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) TOSTMF('/home/ROB/myfile.pcap') FORMAT(*PCAP)

I don't believe there are any ways to journal these through journals, qhst, etc.

See also:  https://www.ibm.com/docs/en/i/7.5?topic=is-communication-services

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

To get traffic log in a journal, one could use the integrated Packet Filter with an "allow all" filterset and journaling to "Full": https://www.ibm.com/docs/en/i/7.5?topic=mpr-journaling-auditing-packet-rules-actions-by-packet-rules .

There's inbound ports, and there's outbound ports.  Inbound ports generally stay active unless you end the service.  For example, ftp port 21 stays active unless I ENDTCPSVR SERVER(*FTP).

Outbound ports are a different animal and often can be quite random.  For example if I ftp FROM this IBM i to another server might go out on port 9393 (this time, as tested).

I know that firewall/switch personnel like to lock down specific IP addresses and ports.  Most of them understand ephemeral ports (like the port 9393 example above).  Careful, as they will sometime track a weeks worth of usage and base their decision off of that.  Which may cause issues when you only run certain stuff outside of that test period such as SNDPTFORD, SNDSRVRQS.  Then there's also the case if your IBM i supports multiple IP addresses, like for multiple web sites, domino servers, H/A software routing, etc and some IP clients don't support "bind specific".  For example, if I telnet from an lpar with multiple IP addresses which one am I coming from?

You can do a STRCMNTRC to capture some of this.  And it will even generate a pcap file, loved by many a network technician.  DMPCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) TOSTMF('/home/ROB/myfile.pcap') FORMAT(*PCAP)

I don't believe there are any ways to journal these through journals, qhst, etc.

See also:  https://www.ibm.com/docs/en/i/7.5?topic=is-communication-services

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

Now that is a very good answer that points in the right direction to definitively answer the question "what ports are being used on my system".

The Packet Filtering that Sylvain references has the further ability to define rules that limit how much data you are going to journal.  In my mind, every packet for every connection is way too much to journal.

If you are interested in which ports are being used, and who is using them, you really only journal the first packet for each connection.  Fortunately, for TCP/IP connections, the first packet is a SYN packet that starts the establishment of the connection.

The packet rules allow you to select those specific packets with the TCP/STARTING protocol selector so you'll only log that first packet.

I just tested this with the following ruleset on a lab system:

Run that for a sufficient period to catch your normal traffic and then analyze with an SQL service:

You can use the same rules to restrict the ports that can be used once you determine what is normal for your environment.  That would address the ability to have a program listen on any port.  It doesn't matter if they are listening if you block anyone that tries to talk to them.

This only logs TCP traffic.  Other protocols, such as UDP and ICMP don't have that handshake that allows easy detection of the start of a conversation, so if you want to track those, you will need different rules.

To get traffic log in a journal, one could use the integrated Packet Filter with an "allow all" filterset and journaling to "Full": https://www.ibm.com/docs/en/i/7.5?topic=mpr-journaling-auditing-packet-rules-actions-by-packet-rules .

There's inbound ports, and there's outbound ports.  Inbound ports generally stay active unless you end the service.  For example, ftp port 21 stays active unless I ENDTCPSVR SERVER(*FTP).

Outbound ports are a different animal and often can be quite random.  For example if I ftp FROM this IBM i to another server might go out on port 9393 (this time, as tested).

I know that firewall/switch personnel like to lock down specific IP addresses and ports.  Most of them understand ephemeral ports (like the port 9393 example above).  Careful, as they will sometime track a weeks worth of usage and base their decision off of that.  Which may cause issues when you only run certain stuff outside of that test period such as SNDPTFORD, SNDSRVRQS.  Then there's also the case if your IBM i supports multiple IP addresses, like for multiple web sites, domino servers, H/A software routing, etc and some IP clients don't support "bind specific".  For example, if I telnet from an lpar with multiple IP addresses which one am I coming from?

You can do a STRCMNTRC to capture some of this.  And it will even generate a pcap file, loved by many a network technician.  DMPCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) TOSTMF('/home/ROB/myfile.pcap') FORMAT(*PCAP)

I don't believe there are any ways to journal these through journals, qhst, etc.

See also:  https://www.ibm.com/docs/en/i/7.5?topic=is-communication-services

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

Now that is a very good answer that points in the right direction to definitively answer the question "what ports are being used on my system".

The Packet Filtering that Sylvain references has the further ability to define rules that limit how much data you are going to journal.  In my mind, every packet for every connection is way too much to journal.

If you are interested in which ports are being used, and who is using them, you really only journal the first packet for each connection.  Fortunately, for TCP/IP connections, the first packet is a SYN packet that starts the establishment of the connection.

The packet rules allow you to select those specific packets with the TCP/STARTING protocol selector so you'll only log that first packet.

I just tested this with the following ruleset on a lab system:

Run that for a sufficient period to catch your normal traffic and then analyze with an SQL service:

You can use the same rules to restrict the ports that can be used once you determine what is normal for your environment.  That would address the ability to have a program listen on any port.  It doesn't matter if they are listening if you block anyone that tries to talk to them.

This only logs TCP traffic.  Other protocols, such as UDP and ICMP don't have that handshake that allows easy detection of the start of a conversation, so if you want to track those, you will need different rules.

To get traffic log in a journal, one could use the integrated Packet Filter with an "allow all" filterset and journaling to "Full": https://www.ibm.com/docs/en/i/7.5?topic=mpr-journaling-auditing-packet-rules-actions-by-packet-rules .

There's inbound ports, and there's outbound ports.  Inbound ports generally stay active unless you end the service.  For example, ftp port 21 stays active unless I ENDTCPSVR SERVER(*FTP).

Outbound ports are a different animal and often can be quite random.  For example if I ftp FROM this IBM i to another server might go out on port 9393 (this time, as tested).

I know that firewall/switch personnel like to lock down specific IP addresses and ports.  Most of them understand ephemeral ports (like the port 9393 example above).  Careful, as they will sometime track a weeks worth of usage and base their decision off of that.  Which may cause issues when you only run certain stuff outside of that test period such as SNDPTFORD, SNDSRVRQS.  Then there's also the case if your IBM i supports multiple IP addresses, like for multiple web sites, domino servers, H/A software routing, etc and some IP clients don't support "bind specific".  For example, if I telnet from an lpar with multiple IP addresses which one am I coming from?

You can do a STRCMNTRC to capture some of this.  And it will even generate a pcap file, loved by many a network technician.  DMPCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) TOSTMF('/home/ROB/myfile.pcap') FORMAT(*PCAP)

I don't believe there are any ways to journal these through journals, qhst, etc.

See also:  https://www.ibm.com/docs/en/i/7.5?topic=is-communication-services

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

Thank you, Vincent, for your very detailed post! I wasn't aware of the "TCP/STARTING" protocol selector.

Any thought about the "TCP SYN bit" mentioned here: https://www.ibm.com/docs/en/i/7.5?topic=filtering-ip-packet-header ?

Now that is a very good answer that points in the right direction to definitively answer the question "what ports are being used on my system".

The Packet Filtering that Sylvain references has the further ability to define rules that limit how much data you are going to journal.  In my mind, every packet for every connection is way too much to journal.

If you are interested in which ports are being used, and who is using them, you really only journal the first packet for each connection.  Fortunately, for TCP/IP connections, the first packet is a SYN packet that starts the establishment of the connection.

The packet rules allow you to select those specific packets with the TCP/STARTING protocol selector so you'll only log that first packet.

I just tested this with the following ruleset on a lab system:

Run that for a sufficient period to catch your normal traffic and then analyze with an SQL service:

You can use the same rules to restrict the ports that can be used once you determine what is normal for your environment.  That would address the ability to have a program listen on any port.  It doesn't matter if they are listening if you block anyone that tries to talk to them.

This only logs TCP traffic.  Other protocols, such as UDP and ICMP don't have that handshake that allows easy detection of the start of a conversation, so if you want to track those, you will need different rules.

To get traffic log in a journal, one could use the integrated Packet Filter with an "allow all" filterset and journaling to "Full": https://www.ibm.com/docs/en/i/7.5?topic=mpr-journaling-auditing-packet-rules-actions-by-packet-rules .

There's inbound ports, and there's outbound ports.  Inbound ports generally stay active unless you end the service.  For example, ftp port 21 stays active unless I ENDTCPSVR SERVER(*FTP).

Outbound ports are a different animal and often can be quite random.  For example if I ftp FROM this IBM i to another server might go out on port 9393 (this time, as tested).

I know that firewall/switch personnel like to lock down specific IP addresses and ports.  Most of them understand ephemeral ports (like the port 9393 example above).  Careful, as they will sometime track a weeks worth of usage and base their decision off of that.  Which may cause issues when you only run certain stuff outside of that test period such as SNDPTFORD, SNDSRVRQS.  Then there's also the case if your IBM i supports multiple IP addresses, like for multiple web sites, domino servers, H/A software routing, etc and some IP clients don't support "bind specific".  For example, if I telnet from an lpar with multiple IP addresses which one am I coming from?

You can do a STRCMNTRC to capture some of this.  And it will even generate a pcap file, loved by many a network technician.  DMPCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) TOSTMF('/home/ROB/myfile.pcap') FORMAT(*PCAP)

I don't believe there are any ways to journal these through journals, qhst, etc.

See also:  https://www.ibm.com/docs/en/i/7.5?topic=is-communication-services

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

I didn't even know that the packet filtering could be used to write journal entries until I saw your post and started experimenting.  It is a very nice solution to a situation that I did not think could be easily solved on IBM i.  It was the search for the SYN bit mentioned on that page that led me to TCP/STARTING (since that is the function of the SYN bit)

I did not find any definitive syntax reference for the rules, but my experimentation showed that the TCP/STARTING only captured the first packet in the exchange.  Using OUTBOUND & TCP/STARING only got me the first packet in the outbound connections, not the SYN/ACK that I would expect from the response to the initiation of a new connection.

For those that don't know, TCP connections use a three way handshake to establish a connection:  SYN, SYN-ACK, and ACK

The initiator sends a SYN packet (I want to connect to your port x from my port Y) (SYN Bit is set in the header)

If the port is open and the connection is accepted by the target, it sends a SYN-ACK packet (SYN and ACK bits set in the header) which means "Glad to hear from you - lets talk, starting with this sequence number, etc"

Finally the initiator acknowledges  the connection is open by sending a ACK packet ("Thanks for accepting my call") and the connection is open.

I can still picture Professor Synder in the front of the classroom waving his hands and saying "NAK-NAK-NAK" while explaining these kinds of protocols :)

If the port is not open, the target will send a different response (SYN-RST I think) telling the initiator to go away.  Different situations result in different sets of responses, such as open ports that don't allow specific addresses.  These different response may be manipulated by hackers (not necessarily the bad kind) to probe open ports.  The nmap documentation explains the different results pretty well:  https://nmap.org/book/scan-methods-null-fin-xmas-scan.html

Internal port scans by security software are not unusual, so if you use this process and see a lot of TCP/STARTING in a journal from different ports from the same IP address, especially if no other addresses use those ports, you can probably trace that to a port scanner.  Ask your security team if it is theirs and you'll get some points for detecting them, or send them into a panic that someone else on the network is port scanning you.  

In any case, if you use the technique of journaling the INBOUND TCP/STARTING packets, you might see connections that did not complete - if you see connections on ports that are only accessed by one IP, especially if that same IP has lots of ports it tries to access, that is probably not a port that is open -- its just a port scanner.

If you see lots of IPs accessing lots of ports that are not likely open, that probably means you need to have a discussion with your security team about their firewall rules.

Thank you, Vincent, for your very detailed post! I wasn't aware of the "TCP/STARTING" protocol selector.

Any thought about the "TCP SYN bit" mentioned here: https://www.ibm.com/docs/en/i/7.5?topic=filtering-ip-packet-header ?

Now that is a very good answer that points in the right direction to definitively answer the question "what ports are being used on my system".

The Packet Filtering that Sylvain references has the further ability to define rules that limit how much data you are going to journal.  In my mind, every packet for every connection is way too much to journal.

If you are interested in which ports are being used, and who is using them, you really only journal the first packet for each connection.  Fortunately, for TCP/IP connections, the first packet is a SYN packet that starts the establishment of the connection.

The packet rules allow you to select those specific packets with the TCP/STARTING protocol selector so you'll only log that first packet.

I just tested this with the following ruleset on a lab system:

Run that for a sufficient period to catch your normal traffic and then analyze with an SQL service:

You can use the same rules to restrict the ports that can be used once you determine what is normal for your environment.  That would address the ability to have a program listen on any port.  It doesn't matter if they are listening if you block anyone that tries to talk to them.

This only logs TCP traffic.  Other protocols, such as UDP and ICMP don't have that handshake that allows easy detection of the start of a conversation, so if you want to track those, you will need different rules.

To get traffic log in a journal, one could use the integrated Packet Filter with an "allow all" filterset and journaling to "Full": https://www.ibm.com/docs/en/i/7.5?topic=mpr-journaling-auditing-packet-rules-actions-by-packet-rules .

There's inbound ports, and there's outbound ports.  Inbound ports generally stay active unless you end the service.  For example, ftp port 21 stays active unless I ENDTCPSVR SERVER(*FTP).

Outbound ports are a different animal and often can be quite random.  For example if I ftp FROM this IBM i to another server might go out on port 9393 (this time, as tested).

I know that firewall/switch personnel like to lock down specific IP addresses and ports.  Most of them understand ephemeral ports (like the port 9393 example above).  Careful, as they will sometime track a weeks worth of usage and base their decision off of that.  Which may cause issues when you only run certain stuff outside of that test period such as SNDPTFORD, SNDSRVRQS.  Then there's also the case if your IBM i supports multiple IP addresses, like for multiple web sites, domino servers, H/A software routing, etc and some IP clients don't support "bind specific".  For example, if I telnet from an lpar with multiple IP addresses which one am I coming from?

You can do a STRCMNTRC to capture some of this.  And it will even generate a pcap file, loved by many a network technician.  DMPCMNTRC CFGOBJ(LANLINSYS) CFGTYPE(*LIN) TOSTMF('/home/ROB/myfile.pcap') FORMAT(*PCAP)

I don't believe there are any ways to journal these through journals, qhst, etc.

See also:  https://www.ibm.com/docs/en/i/7.5?topic=is-communication-services

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

I think the easiest answer to your question is "no".  An inbound port is is simply something which listens on that port.  You can create a simple program that will listen on any available port you state.  Application port numbers could be in code or data objects.  Web Servers will use various, changeable, ports which would show up in their config.  Is there more to the question?

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

For webservers, you could go into the HTTPAdmin and choose "All Servers" from the "Servers" dropdown.  This will show the IP:port configured in each webserver, even if they are not running at the moment.  I think you'll need to find similar resources (or create your own) for other types of services.  If you have any idea of the services that you're concerned about, we can probably help you hunt down the port details.

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

I have this piece of SQL that will search for the configured ports in your httpd config files.

with ifsobjs (path, type) as (
select path_name, object_type
  from table(qsys2.IFS_OBJECT_STATISTICS( 
                   start_path_name => '/www',
                   subtree_directories => 'YES')) a
      where path_name like '%httpd.conf'
)
select path, line, line_number, type 
from ifsobjs i, lateral (
  select * from table (
      qsys2.ifs_read(
        path_name => path, 
        end_of_line => 'ANY',
        maximum_line_length => default, 
        ignore_errors => 'NO') 
    ) ) r
    where upper(line) like '%LISTEN %' 
order by path ;

For webservers, you could go into the HTTPAdmin and choose "All Servers" from the "Servers" dropdown.  This will show the IP:port configured in each webserver, even if they are not running at the moment.  I think you'll need to find similar resources (or create your own) for other types of services.  If you have any idea of the services that you're concerned about, we can probably help you hunt down the port details.

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

In the bash shell:

cd /www
for i in `find . | grep 'httpd\.conf'`
do
echo $i
grep -n -i LISTEN $i
if [ "$?" != "0" ]; then echo "LISTEN not found in $i"; fi
done

I have this piece of SQL that will search for the configured ports in your httpd config files.

with ifsobjs (path, type) as (
select path_name, object_type
  from table(qsys2.IFS_OBJECT_STATISTICS( 
                   start_path_name => '/www',
                   subtree_directories => 'YES')) a
      where path_name like '%httpd.conf'
)
select path, line, line_number, type 
from ifsobjs i, lateral (
  select * from table (
      qsys2.ifs_read(
        path_name => path, 
        end_of_line => 'ANY',
        maximum_line_length => default, 
        ignore_errors => 'NO') 
    ) ) r
    where upper(line) like '%LISTEN %' 
order by path ;

For webservers, you could go into the HTTPAdmin and choose "All Servers" from the "Servers" dropdown.  This will show the IP:port configured in each webserver, even if they are not running at the moment.  I think you'll need to find similar resources (or create your own) for other types of services.  If you have any idea of the services that you're concerned about, we can probably help you hunt down the port details.

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

nice!!

I added this to the begining:
save_cwd=$(pwd)

and to the end:
cd $save_cwd

just needed to be back where I started from  :-)

In the bash shell:

cd /www
for i in `find . | grep 'httpd\.conf'`
do
echo $i
grep -n -i LISTEN $i
if [ "$?" != "0" ]; then echo "LISTEN not found in $i"; fi
done

I have this piece of SQL that will search for the configured ports in your httpd config files.

with ifsobjs (path, type) as (
select path_name, object_type
  from table(qsys2.IFS_OBJECT_STATISTICS( 
                   start_path_name => '/www',
                   subtree_directories => 'YES')) a
      where path_name like '%httpd.conf'
)
select path, line, line_number, type 
from ifsobjs i, lateral (
  select * from table (
      qsys2.ifs_read(
        path_name => path, 
        end_of_line => 'ANY',
        maximum_line_length => default, 
        ignore_errors => 'NO') 
    ) ) r
    where upper(line) like '%LISTEN %' 
order by path ;

For webservers, you could go into the HTTPAdmin and choose "All Servers" from the "Servers" dropdown.  This will show the IP:port configured in each webserver, even if they are not running at the moment.  I think you'll need to find similar resources (or create your own) for other types of services.  If you have any idea of the services that you're concerned about, we can probably help you hunt down the port details.

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.

I tried searching https://wiki.midrange.com/index.php/Main_Page for ports to see if anyone had created any table of commonly used ports on IBM i.  I didn't see any.

Hi,

Is there any way to check which ports have been configured for use on IBMi (but not currently active).

NETSTAT *CNN gives the "Active" ports at any point in time and CFGTCP , option 4 gives you any port restrictions.

However, I am looking for an easy way to find out "list of all ports which are configured but NOT CURRENTLY ACTIVE"

Any guidance would be appreciated. Thank you.