z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1721I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1721I
Packet denied by defensive filter: timestamp filter rule= rulename ext= instance sipaddr= sipaddr dipaddr= dipaddr proto= proto tag1 tag2 tag3 Interface= ifcaddr (dir ) secclass= secclass dest= dest len= len ifcname= ifcname fragment= frag

Explanation

An IP packet matched the indicated defensive filter rule and was denied. For this message to be written, the matching defensive filter must have logging enabled.

In the message text:
timestamp
The stack timestamp that indicates the time at which the IP packet was processed by the stack. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp.
rulename
The defensive filter rule name as specified on the -N option when the defensive filter was added with the z/OS® UNIX ipsec command.
instance
The rule name extension that indicates which instance of the rule name was matched.
sipaddr
The source IP address of the packet.
dipaddr
The destination IP address of the packet.
proto
The protocol from the packet. Possible values are:
  • ICMP(1)
  • IGMP(2)
  • IP(4)
  • TCP(6)
  • UDP(17)
  • ESP(50)
  • AH(51)
  • ICMPv6(58)
  • OSPF(89)
  • IPIP(94)
  • MIPv6(135)
  • Unknown
  • The protocol number
tag1
The tag1 value varies depending on the proto value.
  • If the proto value is ICMP or ICMPv6, the tag1 value is type= followed by the ICMP or ICMPv6 type, or followed by the value Unknown if the ICMP header is not present in the packet as the result of fragmentation.
  • If the proto value is TCP or UDP, the tag1 value is sport= followed by the source port, or followed by the value Unknown if the TCP or UDP header is not present in the packet as the result of fragmentation.
  • If the proto value is OSPF, the tag1 value is type= followed by the type, or followed by the value Unknown if the OSPF header is not present in the packet as the result of fragmentation.
  • If the proto value is MIPv6, the tag1 value is type= followed by the type, or followed by the value Unknown if the MIPv6 header is not present in the packet as the result of fragmentation.
  • If the proto value is any value not previously mentioned, the tag1 value is -= which indicates that the data is not applicable.
tag2
tag2 value varies depending on the proto value.
  • If the proto value is ICMP or ICMPv6, the tag2 value is code= followed by the ICMP or ICMPv6 code, or followed by the value Unknown if the ICMP header is not present in the packet as the result of fragmentation.
  • If the proto value is TCP or UDP, the tag2 value is dport= followed by the destination port, or followed by the value Unknown if the TCP or UDP header is not present in the packet as the result of fragmentation.
  • If the proto value is any value not previously mentioned, the tag2 value is -= which indicates that the data is not applicable.
tag3
tag3 value varies depending on the proto value and direction.
  • If the proto value is TCP or UDP, the direction is inbound, and the port has been translated by the CommServer NAT Traversal function, the tag3 value is origport= followed by the original source port.
  • If the proto value is TCP or UDP, the direction is outbound, and the port has been translated by the CommServer NAT Traversal function, the tag3 value is origport= followed by the original destination port.
  • If the proto value is any value not previously mentioned, the tag3 value is -= which indicates that the data is not applicable.
ifcaddr
The interface address over which the packet was received or sent.
dir
Possible values are:
I
The packet is inbound.
O
The packet is outbound.
secclass
The security class assigned to the interface. The security class is a numeric value in the range of 1-255.
dest
Possible values are:
local
The destination is a local destination.
routed
The packet is being routed.
len
The packet length.
ifcname
The interface name.
frag
Possible values are:
Y
The packet is a fragment.
N
The packet is not a fragment.
routed
The packet is not a fragment.

System action

TCP/IP processing continues.

Operator response

No action needed.

System programmer response

No action needed.

User response

Not applicable.

Problem determination

Not applicable.

Source

z/OS Communications Server TCP/IP: TRMD

Module

EZATRZOS

Routing code

Not applicable for syslog message.

Descriptor code

Not applicable for syslog message.

Automation

Not applicable.

Example

EZD1721I Packet denied by defensive filter:  07/11/2007 23:40:08.78 filter  rule= Block_192.30.30.0/24 
         ext= 1 sipaddr= 192.30.30.1 dipaddr= 192.1.1.1  proto= tcp(6) sport= 65000 dport= 21  -= 
         Interface= 192.1.1.1 (I) secclass= 255  dest= local len= 88 ifcname= LINK1 fragment= N
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014