Explanation
An IP packet matched the indicated defensive filter
rule and was denied. For this message to be written, the matching
defensive filter must have logging enabled.
In the message
text:
- timestamp
- The stack timestamp that indicates the time at which the IP packet
was processed by the stack. This time is retrieved from the system
time-of-day clock, which usually reflects coordinated universal time
(UTC). This timestamp might be different than the syslogd message
timestamp.
- rulename
- The defensive filter rule name as specified on the -N option when
the defensive filter was added with the z/OS® UNIX ipsec command.
- instance
- The rule name extension that indicates which instance of the rule
name was matched.
- sipaddr
- The source IP address of the packet.
- dipaddr
- The destination IP address of the packet.
- proto
- The protocol from the packet. Possible values are:
- ICMP(1)
- IGMP(2)
- IP(4)
- TCP(6)
- UDP(17)
- ESP(50)
- AH(51)
- ICMPv6(58)
- OSPF(89)
- IPIP(94)
- MIPv6(135)
- Unknown
- The protocol number
- tag1
- The tag1 value varies depending on the proto value.
- If the proto value is ICMP or ICMPv6, the tag1 value
is type= followed by the ICMP or ICMPv6 type, or followed
by the value Unknown if the ICMP header is not present
in the packet as the result of fragmentation.
- If the proto value is TCP or UDP, the tag1 value
is sport= followed by the source port, or followed by the
value Unknown if the TCP or UDP header is not present
in the packet as the result of fragmentation.
- If the proto value is OSPF, the tag1 value
is type= followed by the type, or followed by the value Unknown if
the OSPF header is not present in the packet as the result of fragmentation.
- If the proto value is MIPv6, the tag1 value
is type= followed by the type, or followed by the value Unknown if
the MIPv6 header is not present in the packet as the result of fragmentation.
- If the proto value is any value not previously
mentioned, the tag1 value is -= which indicates
that the data is not applicable.
- tag2
- tag2 value varies depending on the proto value.
- If the proto value is ICMP or ICMPv6, the tag2 value
is code= followed by the ICMP or ICMPv6 code, or followed
by the value Unknown if the ICMP header is not present
in the packet as the result of fragmentation.
- If the proto value is TCP or UDP, the tag2 value
is dport= followed by the destination port, or followed by
the value Unknown if the TCP or UDP header is not
present in the packet as the result of fragmentation.
- If the proto value is any value not previously
mentioned, the tag2 value is -= which indicates
that the data is not applicable.
- tag3
- tag3 value varies depending on the proto value
and direction.
- If the proto value is TCP or UDP, the direction
is inbound, and the port has been translated by the CommServer NAT
Traversal function, the tag3 value is origport=
followed by the original source port.
- If the proto value is TCP or UDP, the direction
is outbound, and the port has been translated by the CommServer NAT
Traversal function, the tag3 value is origport= followed
by the original destination port.
- If the proto value is any value not previously
mentioned, the tag3 value is -= which indicates
that the data is not applicable.
- ifcaddr
- The interface address over which the packet was received or sent.
- dir
- Possible values are:
- I
- The packet is inbound.
- O
- The packet is outbound.
- secclass
- The security class assigned to the interface. The security class
is a numeric value in the range of 1-255.
- dest
- Possible values are:
- local
- The destination is a local destination.
- routed
- The packet is being routed.
- len
- The packet length.
- ifcname
- The interface name.
- frag
- Possible values are:
- Y
- The packet is a fragment.
- N
- The packet is not a fragment.
- routed
- The packet is not a fragment.
System action
TCP/IP processing continues.
Operator response
System programmer response
User response
Problem determination
Source
z/OS Communications
Server TCP/IP: TRMD
Module
Routing code
Not applicable for syslog message.
Descriptor code
Not applicable for syslog message.
Automation
Example
EZD1721I Packet denied by defensive filter: 07/11/2007 23:40:08.78 filter rule= Block_192.30.30.0/24
ext= 1 sipaddr= 192.30.30.1 dipaddr= 192.1.1.1 proto= tcp(6) sport= 65000 dport= 21 -=
Interface= 192.1.1.1 (I) secclass= 255 dest= local len= 88 ifcname= LINK1 fragment= N