Use the IPSEC statement to define policy for the IPv4 security function that is enabled with the IPCONFIG IPSECURITY parameter. The IPSEC statement is ignored if IPSECURITY is not specified on the IPCONFIG statement. If you also enable IPv6 Security with the IPCONFIG6 IPSECURITY parameter, then use the IPSEC statement to also define policy for IPv6 IP security.
Restriction: Only one IPSEC statement block should appear in the profile. Any subsequent statement blocks are ignored and an informational message is generated. Multiple filter rules can be defined in the IPSEC block.
Rule: Specify the parameters in the order shown here.
.-----------------------. V | >>-IPSEC----+-------------------+-+-----------------------------> +-DVIPsec-----------+ | .-LOGDISable-. | +-+------------+----+ | '-LOGENable--' | | .-NOLOGImplicit-. | '-+---------------+-' '-LOGImplicit---' .------------------------. V | >----+--------------------+-+--ENDIPSEC------------------------>< '-| IP Filter Rule |-' IP Filter Rule |--+-IPv4 Filter Rule-+-----------------------------------------| '-IPv6 Filter Rule-' IPv4 Filter Rule |--IPSECRule--+-src_ipaddr---------------+----------------------> +-src_ipaddr/prefix_length-+ '-*------------------------' .-NOLOG-. >--+-dest_ipaddr---------------+--+-------+--| Protocol |-------> +-dest_ipaddr/prefix_length-+ '-LOG---' '-*-------------------------' .-ROUTING LOCAL-------. .-SECCLASS 0-------------. >--+---------------------+--+------------------------+----------| '-ROUTING--+-ROUTED-+-' '-SECCLASS securityclass-' '-EITHER-' Protocol .-PROTOcol *--------------------------------------------------. |--+-------------------------------------------------------------+--| | .-SRCPort *---. .-DESTport *---. | '-PROTOcol--+-+-TCP-+--+-------------+--+--------------+----+-' | +-6---+ '-SRCPort num-' '-DESTport num-' | | +-UDP-+ | | '-17--' | | .-TYPE * CODE *-------------------. | +-+-ICMP-+--+---------------------------------+-+ | '-1----' | .-CODE *--------. | | | '-TYPE icmptype-+---------------+-' | | '-CODE icmpcode-' | | .-TYPE *--------. | +-+-OSPF-+--+---------------+-------------------+ | '-89---' '-TYPE ospftype-' | '-protocol_number-------------------------------' IPv6 Filter Rule |--IPSEC6Rule--+-src_ipaddr---------------+---------------------> +-src_ipaddr/prefix_length-+ '-*------------------------' .-NOLOG-. >--+-dest_ipaddr---------------+--+-------+--| Protocol |-------> +-dest_ipaddr/prefix_length-+ '-LOG---' '-*-------------------------' .-ROUTING LOCAL-------. .-SECCLASS 0-------------. >--+---------------------+--+------------------------+----------| '-ROUTING--+-ROUTED-+-' '-SECCLASS securityclass-' '-EITHER-' Protocol .-PROTOcol *----------------------------------------------------. |--+---------------------------------------------------------------+--| | .-SRCPort *---. .-DESTport *---. | '-PROTOcol--+-+-TCP-+--+-------------+--+--------------+------+-' | +-6---+ '-SRCPort num-' '-DESTport num-' | | +-UDP-+ | | '-17--' | | .-TYPE * CODE *-------------------. | +-+-ICMPV6-+--+---------------------------------+-+ | '-58-----' | .-CODE *--------. | | | '-TYPE icmptype-+---------------+-' | | '-CODE icmpcode-' | | .-TYPE *--------. | +-+-OSPF-+--+---------------+---------------------+ | '-89---' '-TYPE ospftype-' | '-protocol_number---------------------------------'
For more information about NAT Traversal configuration scenarios, see z/OS Communications Server: IP Configuration Guide.
If LOGENABLE is specified, then the log setting on the individual default filter rules and the implicit default rules is honored. The log setting for individual default rules is specified with the LOG/NOLOG parameter. The log setting for the implicit default rules is specified with the LOGIMPLICIT/NOLOGIMPLICIT parameter.
If LOGDISABLE is specified, then the log setting on the individual default filter rules and the implicit default rules is ignored and no packet filter logging is done.
If the IPSEC statement is not specified, packet filter logging is disabled for packets that are handled by the implicit default rules. To turn on packet filter logging for the implicit default rules, IPSEC must be coded with the LOGENABLE and LOGIMPLICIT parameters.
A setting of LOGIMPLICIT is honored only when filter logging is enabled on the IPSEC statement with LOGENABLE.
The default IP filter policy consists of the following rules:
The explicit rules appear first in the search order and the implicit deny all rules appear last in the search order.
The rules defined explicitly with the IPSECRULE and IPSEC6RULE statements are permit rules. Each rule is treated as bidirectional, generating both an outbound and inbound permit rule. The outbound rule permits outbound traffic from the specified source to the specified destination. The inbound rule permits inbound traffic with the destination and source reversed. IP traffic not explicitly permitted by one of the defined rules is denied while the default IP filter policy is in effect.
The physical order in which the rules are defined in the profile determines the search order for the rules. The rule parameters are ANDed together to determine whether the IP traffic matches the filter rule.
If you configure an IPSEC6RULE statement but did not specify IPCONFIG6 IPSECURITY, then TCP/IP rejects the IPSEC6RULE statement and issues message EZZ0787I in z/OS Communications Server: IP Messages Volume 4 (EZZ, SNM).
If the IPSEC statement is not specified or if no default IP filter rules are specified, the default IP filter table consists only of the implicitly defined deny all rule.
Specify an asterisk (*) to allow any source IP address to match.
Specify an asterisk (*) to allow any destination IP address to match.
Valid values for num are in the range 1 - 65535. The default is an asterisk (*), which indicates that any source port matches this parameter.
Rule: If the ROUTING value is ROUTED or EITHER, SRCPORT must be defined as all ports (*).
Valid values for num are in the range 1 - 65535. The default is *, which indicates that any destination port matches.
Restriction: If the ROUTING value is ROUTED or EITHER, DESTPORT must be defined as all ports (*).
Valid values for num are in the range 1 - 65535. The default is *, which indicates that any source port matches.
Restriction: If the ROUTING value is ROUTED or EITHER, SRCPORT must be defined as all ports (*).
Valid values for num are in the range 1 - 65535. The default is *, which indicates that any destination port matches.
Restriction: If the ROUTING value is ROUTED or EITHER, DESTPORT must be defined as all ports (*).
Restriction: The ICMPv6 protocol is valid only on an IPSEC6RULE statement.
Rule: For IP traffic to be permitted by this rule, the protocol of the traffic must be ICMPv6.
Restriction: For IP traffic to be permitted by this rule, the protocol of the traffic must be OSPF.
For a list of the possible IPv4 OSPF types, see RFC 1583 OSPF Version 2. For a list of the possible IPv6 OSPF types, see RFC 2740, OSPF for IPv6. See Related protocol specifications for more information about accessing RFCs.
Restriction: For IP traffic to be permitted by this rule, the protocol of the traffic must match this parameter.
Restriction: For IP traffic to be permitted by this rule, the security class of the interface that the traffic is inbound to or outbound from must match this parameter.
For IPv4, the security class for the interface is specified as SECCLASS on the LINK, INTERFACE, or IPCONFIG DYNAMICXCF statement. For IPv6, the security class for the interface is specified as SECCLASS on the INTERFACE or IPCONFIG6 DYNAMICXCF statement. A value of 0 matches any security class value coded on the corresponding profile statement which defines the interface. For more information about security class values, see z/OS Communications Server: IP Configuration Guide.The default value is 0.
To delete all defined default filter rules leaving only the implicit deny all default rule, the data set must contain a new IPSEC statement with no default filter rules defined. If the data set does not contain an IPSEC statement, then the existing default filter rules remain in effect.
If IP filtering is being done based on the default filter rules, then the modified default filter rules are in effect following the VARY TCPIP,,OBEYFILE command. If IP filtering is being done based on the filter rules defined to Policy Agent, then the default filter rules are updated by the VARY TCPIP,,OBEYFILE command, but filter rules defined in Policy Agent remain in effect. The ipsec -f default command must be issued to cause the default filter rules to be used.
For more information about the VARY TCPIP commands, see z/OS Communications Server: IP System Administrator's Commands.
IPSEC
; Rule SourceIp DestIp Logging Prot SrcPort DestPort Routing Secclass
;
; Permit outbound IPv4 TCP traffic from local IP address 1.1.1.1 port 23 to remote IP address 2.2.2.2
; Permit inbound IPv4 TCP traffic from remote IP address 2.2.2.2 to local IP address 1.1.1.1 port 23
IPSECR 1.1.1.1 2.2.2.2 NOLOG PROTO TCP SRCPORT 23 DESTPORT * ROUTING LOCAL
;
; Permit outbound IPv4 TCP traffic from local IP address 1.1.1.1 to remote IP address 2.2.2.2 port 23
; Permit inbound IPv4 TCP traffic from remote IP address 2.2.2.2 port 23 to local IP address 1.1.1.1
IPSECR 1.1.1.1 2.2.2.2 NOLOG PROTO TCP SRCPORT * DESTPORT 23
;
; Permit outbound IPv4 ICMP traffic from local IP addresses 1.2.0.0/16
; Permit inbound IPv4 ICMP traffic to local IP addresses 1.2.0.0/16
IPSECR 1.2.0.0/16 * LOG PROTO ICMP
; Permit all routed IPv4 traffic
; IPSECR * * LOG PROTO * ROUTING ROUTED
; Permit all local outbound traffic to remote IP address 1.2.3.4
; Permit all local inbound traffic from remote IP address 1.2.3.4
IPSECR * 1.2.3.4
; Permit local outbound IPv6 Neighbor Solicitations
; Permit local inbound IPv6 Neighbor Solicitations
IPSEC6R * * LOG PROTO ICMPV6 TYPE 135
; Permit local outbound IPv6 Neighbor Advertisements
; Permit local inbound IPv6 Neighbor Advertisements
IPSEC6R * * LOG PROTO ICMPV6 TYPE 136
; Permit local inbound IPv6 Router Advertisements from remote IP address 2001::1:2:3:4
IPSEC6R * 2001::1:2:3:4/128 LOG PROTO ICMPV6 TYPE 134
ENDIPSEC