z/OS Communications Server

z/OS Communications Server

z/OS Communications Server

A high-performance foundation for building and deploying networking applications on z/OS

 View Only

  • 1.  IP filtering question (back to front)

    Posted Wed November 22, 2023 10:56 AM

    I can use 

    IPSECRULE 10.1.0.2 10.1.1.2  LOG Protocol icmp direction inbound 
    IPSECRULE 10.1.1.2 10.1.0.2  LOG Protocol icmp direction outbound 

    and they work as expected.

    If I use

    IPSECRULE 10.1.0.2 * LOG Protocol icmp direction bidirectional 

    it doesnt work as expected.   My traffic is blocked, and if I display the configuration using  ipsec -f display -p TCPIP

    I get ( after deleting non relevant stuff )

    FilterName:                   SYSDEFAULTRULE.1 
    FilterNameExtension:          1 
    Direction:                    Outbound 
    SourceAddress:                10.1.0.2 
    DestAddress:                  0.0.0.0 
    *********************************************************************** 
    FilterName:                   SYSDEFAULTRULE.1 
    FilterNameExtension:          2 
    Direction:                    Inbound 
    SecurityClass:                0 
    SourceAddress:                0.0.0.0 
    DestAddress:                  10.1.0.2 

    which appears is the wrong way round.  In needs to be INBOUND from  source 10.1.0.2 to dest 0.0.0.0, and OUTBOUND from source 0.0.0.0  to destaddr 10.1.0.2

    To get it to work I have to use

     IPSECRULE * 10.1.0.2  LOG Protocol icmp direction bidirectional 

    which feels wrong... the source "*" is actually the target(destination)  and the destination  "10.1.0.2" is actually where the request comes from  ( source)

    This is different to  direction inbound |outbound which make sense source is where it starts, and dest is where it is going to. 

    Any I missing something?

    Colin



    ------------------------------
    Colin Paice
    ------------------------------


  • 2.  RE: IP filtering question (back to front)

    Posted Mon November 27, 2023 08:02 AM

    Direction bidirectional uses the configured source and destination to generate an outbound rule. It switches them to generate an inbound rule. This is documented under the Bidirectional parameter here : https://www.ibm.com/docs/en/zos/3.1.0?topic=statements-ipsec-statement

    "BIDIRECTIONAL This value generates two IP filters. The first generated rule permits an outbound packet with the specified source and destination IP address or port. The second generated rule switches the source and destination specification and permits an inbound packet with the switched source and destination specification."

    Joyce Anne Porter, IBM z/OS Communications Server



    ------------------------------
    Joyce Anne Porter
    ------------------------------

    Original Message


  • 3.  RE: IP filtering question (back to front)

    Posted Tue November 28, 2023 04:28 AM
    Hi Joyce,

    Thanks for your reply.

    Let me explain my problem a different way.

    If I use

    IpSourceAddr LAPTOPIP IpDestAddr zOSIP ... Direction inbound
    IpSourceAddr zOSIP  IpDestAddr LAPTOPIP  ... Direction outbound

    I can ping from LAPTOPIP address into zOSIP - great, this works.

    In order to get bidirectional working I have to use

    IpSourceAddr zOSIP  IpDestAddr LAPTOP ... Direction bidirectional

    change to bidirectional   and swap the IP addresses round

    which, as you say, generates the OUTPUT, then swaps the IP Address round, and generates an input.

    This makes my head spin... as the actual source is my laptop  and the target is z/OS - not the other way round.  My first flow is from my laptop, so most people would configure this as the source, and z/OS as the destination.  I have to specify the port of the destination server on z/OS as the sourcePort not the destination!... My head spins!


    I'm blogging on this, and I am going to say, to stay sane, do not use bidirectional - specify input and output specifically.

    It would help if the doc gave an example

    IpSourceAddr LAPTOPIP IpDestAddr zOSIP ... Direction inbound
    IpSourceAddr zOSIP  IpDestAddr LAPTOPIP  ... Direction outbound

    or
    IpSourceAddr zOSIP  IpDestAddr LAPTOPIP  ... Direction bidirectional


    It took me an hour or so to realise that you need a rule for a request coming into z/OS, and a rule for the response to get out of z/OS.  With hindsight this is obvious, but it took me a while to realise this.

    An example like

    To allow a ping request from a client into z/OS you need a rule for inbound, and an rule for outbound traffic such as

    IpSourceAddr LAPTOPIP IpDestAddr zOSIP ... Direction inbound Protocol icmp type 8
    IpSourceAddr zOSIP  IpDestAddr LAPTOPIP  ... Direction outbound Protocol icmp type 0

    You cannot use bidirectional because the icmp types are different.
    You could use
               
    IpSourceAddr zOSIP  IpDestAddr LAPTOPIP  ... Direction bidirectional Protocl icmp

    to allow all ICMP requests in and out between the two IP addresses



    Colin








    Original Message


Related Content