Use the PORT and PORTRANGE statement in the PROFILE.TCPIP data set to reserve ports for specified user IDs, procedures, and job names.
Tip: The following example was used for test configuration and is for illustration only. The example shows a portion of SEZAINST(SAMPPROF), which contains the most current assignments.
;
PORT: Reserves a port for specified job names
;
; - A port that is not reserved in this list can be used by any user.
; If you have TCP/IP hosts in your network that reserve ports
; in the range 1-1023 for privileged applications, you should
; reserve them here to prevent users from using them.
; The RESTRICTLOWPORTS option on TCPCONFIG and UDPCONFIG will also
; prevent unauthorized applications from accessing unreserved
; ports in the 1-1023 range.
;
; - A PORT statement with the optional keyword SAF followed by a
; 1-8 character name can be used to reserve a PORT and control
; access to the PORT with a security product such as RACF.
; For port access control, the full resource name for the security
; product authorization check is constructed as follows:
; EZB.PORTACCESS.sysname.tcpname.safname
; where:
; EZB.PORTACCESS is a constant
; sysname is the MVS system name (substitute your sysname)
; tcpname is the TCPIP jobname (substitute your jobname)
; safname is the 1-8 character name following the SAF keyword
;
; When PORT access control is used, the TCP/IP application
; USERID that is authorized to the resource. The resources
; are defined in the SERVAUTH class.
;
; For an example of how the SAF keyword can be used to enhance
; security, see the definition below for the FTP data PORT 20
; with the SAF keyword. This definition reserves TCP PORT 20 for
; any jobname (the *) but requires that the FTP user be permitted
; by the security product to the resource:
; EZB.PORTACCESS.sysname.tcpname.FTPDATA in the SERVAUTH class.
;
; - The BIND keyword is used to force a generic server (one that
; binds to the IPv4 INADDR_ANY address, or the IPv6 unspecified
; address, in6addr_any) to bind to the specific IP address that
; is specified following the BIND keyword. This capability could
; be used, for example, to allow z/OS UNIX telnet and telnet
; 3270 servers to both bind to TCP port 23.
; The IP address that follows bind must be in IPv4 (dotted
; decimal) or IPv6 (colon-hexadecimal) format and may be
; any valid address for the host including VIPA and dynamic
; VIPA addresses.
;
; The special jobname of OMVS indicates that the PORT is reserved
; for any application with the exception of those that use the Pascal
; API.
;
; The special jobname of * indicates that the PORT is reserved
; for any application, including Pascal API socket applications.
; Jobname may be specified as a prefix of zero to seven characters
; ending in *.
;
; The special jobname of RESERVED indicates that the PORT is
; blocked. It will not be available to any application.
;
; GUIDELINE: When IPSECURITY is enabled, UDP ports 500 and 4500
; should either be reserved for IKED (if it is in use) or should
; be marked RESERVED.
;
; TIP: The PORT statement can also be used to control application
; access to unreserved ports by configuring PORT entries where the
; port number is replaced by the keyword UNRSV.
;
PORT
7 UDP MISCSERV ; Miscellaneous Server - echo
7 TCP MISCSERV ; Miscellaneous Server - echo
9 UDP MISCSERV ; Miscellaneous Server - discard
9 TCP MISCSERV ; Miscellaneous Server - discard
19 UDP MISCSERV ; Miscellaneous Server - chargen
19 TCP MISCSERV ; Miscellaneous Server - chargen
20 TCP * NOAUTOLOG ; FTP Server
; 20 TCP * NOAUTOLOG SAF FTPDATA ; FTP Server
21 TCP FTPD1 ; FTP Server
23 TCP TN3270 ; Telnet 3270 Server
; 23 TCP INETD1 BIND 9.67.113.3 ; z/OS UNIX Telnet server
25 TCP SMTP ; SMTP Server
111 TCP PORTMAP ; Portmap Server (SUN 3.9)
111 UDP PORTMAP ; Portmap Server (SUN 3.9)
; 111 TCP PORTMAP1 ; Unix Portmap Server (SUN 4.0)
; 111 UDP PORTMAP1 ; Unix Portmap Server (SUN 4.0)
123 UDP SNTPD ; Simple Network Time Protocol Server
135 UDP LLBD ; NCS Location Broker
161 UDP OSNMPD ; SNMP Agent
389 TCP LDAPSRV ; LDAP Server
443 TCP HTTPS ; http protocol over TLS/SSL
443 UDP HTTPS ; http protocol over TLS/SSL
; 500 UDP IKED ; CS IKE daemon
512 TCP RXSERVE ; Remote Execution Server
514 TCP RXSERVE ; Remote Execution Server
; 512 TCP * SAF OREXECD ; z/OS UNIX Remote Execution Server
; 514 TCP * SAF ORSHELLD ; z/OS UNIX Remote Shell Server
; 515 TCP LPSERVE ; LPD Server
; 515 TCP AOPLPD ; Infoprint LPD Server
520 UDP OMPROUTE ; OMPROUTE Server (IPv4 RIP)
521 UDP OMPROUTE ; OMPROUTE Server (IPv6 RIP)
580 UDP NCPROUT ; NCPROUTE Server
750 TCP MVSKERB ; Kerberos
750 UDP MVSKERB ; Kerberos
751 TCP ADM@SRV ; Kerberos Admin Server
751 UDP ADM@SRV ; Kerberos Admin Server
; 1700 TCP PAGENT NOAUTOLOG ; Policy Agent pagentQosListener port
; 1701 TCP PAGENT NOAUTOLOG ; Policy Agent pagentQosCollector port
3000 TCP CICSTCP ; CICS Socket
3389 TCP MSYSLDAP ; LDAP Server for Msys
; 4159 TCP NSSD ; CS NSS daemon
; 4500 UDP IKED ; CS IKE daemon
;16310 TCP PAGENT NOAUTOLOG ; Policy Agent server listener port
;
;
; PORTRANGE: Reserves a range of ports for specified jobnames.
;
; In a common INET (CINET) environment, the port range indicated by
; the INADDRANYPORT and INADDRANYCOUNT in your BPXPRMxx parmlib member
; should be reserved for OMVS.
;
; The special jobname of OMVS indicates that the PORTRANGE is reserved
; for ANY z/OS UNIX socket application.
;
; The special jobname of * indicates that the PORTRANGE is reserved
; for any socket application, including Pascal API socket
; applications.
;
; The special jobname of RESERVED indicates that the PORTRANGE is
; blocked. It will not be available to any application.
;
; The SAF keyword is used to restrict access to the PORTRANGE to
; authorized users. See the use of SAF on the PORT statement above.
;
;
; PORTRANGE 4000 1000 TCP OMVS
; PORTRANGE 4000 1000 UDP OMVS
; PORTRANGE 2000 3000 TCP RESERVED
; PORTRANGE 5000 6000 TCP * SAF RANGE1
;