The default IP filter policy is in effect when the IP security policy, as configured in the Policy Agent, is not available. The default IP filter policy denies all network traffic, unless you modify the TCP/IP profile.
Two IP filters are created by the default IP filter policy, one denying IPv4 inbound traffic and the other denying IPv4 outbound traffic. If IP security for IPv6 is also enabled, the stack also creates two similar filters, one denying IPv6 inbound traffic and the other denying IPv6 outbound traffic. For example, assuming that the default IP filter policy is active, the following sample of the ipsec -f display command shows that SYSDEFAULTDENYRULE was added to the filter table:
ipsec -f display
CS V2R1 ipsec Stack Name: TCPCS Tue Feb 14 09:50:02 2012
Primary: Filter Function: Display Format: Detail
Source: Stack Profile Scope: Current TotAvail: 8
Logging: On Predecap: Off DVIPSec: No
NatKeepAlive: 0 FIPS140: No
Defensive Mode: Inactive
FilterName: SYSDEFAULTRULE.1
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: All
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 49
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.1
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: All
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 94
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.2
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: All
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: ::
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: ::
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 5
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.2
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: All
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: ::
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: ::
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 4
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTDENYRULE
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTDENYRULE
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTDENYRULE
FilterNameExtension: 3
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: ::
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: ::
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTDENYRULE
FilterNameExtension: 4
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: ::
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: ::
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
8 entries selected
Use IPSECRULE and IPSEC6RULE for permit rules that denote exceptions to the default-deny policy. When the default IP filter policy is active, these permit rules appear in the default IP filter table before the SYSDEFAULTDENYRULE entries. Typically, these exceptions are few and are used for administrative access to the system when IP security policy is unavailable. For instance, a sample default set of permit rules might include entries to provide the following access:
IPSECRULE and IPSEC6RULE entries are coded in the IPSEC block of the TCP/IP profile. They describe the attributes of the IP traffic that is allowed when the default IP filter policy is active. These rules can specify source address, destination address, protocol, source port, destination port, routing, and security class.
Unlike IP filter rules that are defined in Policy Agent, which allow direction to be specified, an IPSECRULE or IPSEC6RULE is always bidirectional. This means that for any IPSECRULE or IPSEC6RULE entry that specifies a source and destination address or port, an outbound rule is created with that source and destination address and port, along with an inbound rule with the source and destination addresses and ports reversed. (This equates to the use of the bidirectional keyword in an IpFilterRule statement.)
IPSECRULE and IPSEC6RULE entries always have an action of permit; there is no action specification for deny or permit with IPSec protection.
Assuming the administrative machine has an IP address of 9.1.1.2 and connects through an interface whose security class is 100, the following sample IPSECRULE entries enable the z/OS® system to communicate IPv4 DNS queries and OSPF routing advertisements to anyone, while giving blanket access to the administrator. The example IPSEC6RULE entry permits any ICMPv6 packets. An asterisk (*) is the default and represents all, indicating that any packet matches this attribute.
IPSEC LOGENable
; Rule SrcAddr DstAddr Logging Protocol SrcPort DestPort Routing Secclass
; OSPF protocol used by Omproute
IPSECRule * * NOLOG PROTO OSPF
; IGMP protocol used by Omproute
IPSECRule * * NOLOG PROTO 2
; DNS queries to UDP port 53
IPSECRule * * NOLOG PROTO UDP SRCPort * DESTport 53
; Administrative access
IPSECRule * 9.1.1.2 LOG SECCLASS 100
; ICMPv6 protocol
IPSEC6Rule * * NOLOG PROTO ICMPv6
ENDIPSEC
Any IPSECRULE and IPSEC6RULE entries that are coded are given a system-generated name for purposes of display. These rules are prefixed with the string SYSDEFAULTRULE. The IPSECRULE entries that are configured in the previous example are reflected in the ipsec -f display command as shown in the following example. Notice that there are two rules created for each IPSECRULE or IPSEC6RULE entry configured, one for each direction. The five rules that are configured in the example IPSEC block have been expanded into ten IP filters. Four additional filters have been created for the default-deny behavior. Each rule is given a unique filter name comprised of SYSDEFAULTRULE.number, where number is a numerical extension that indicates the relative order of the rule in the IP filter table. Because each IPSECRULE and IPSEC6RULE statement results in multiple filter rules with the same name (inbound and outbound), a FilterNameExtension value is assigned by the system to uniquely identify each filter.
ipsec -f display
CS V2R1 ipsec Stack Name: TCPCS Tue Feb 14 09:55:31 2012
Primary: Filter Function: Display Format: Detail
Source: Stack Profile Scope: Current TotAvail: 14
Logging: On Predecap: Off DVIPSec: No
NatKeepAlive: 0 FIPS140: No
Defensive Mode: Inactive
FilterName: SYSDEFAULTRULE.1
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: OSPF(89)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: All
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 3
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.1
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: OSPF(89)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: All
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 4
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.2
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: IGMP(2)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.2
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: IGMP(2)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.3
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: UDP(17)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: All
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: 53
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.3
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: UDP(17)
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: 53
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: All
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.4
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Outbound
OnDemand: n/a
SecurityClass: 100
Logging: All
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 9.1.1.2
DestAddressPrefix: n/a
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.4
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: n/a
SecurityClass: 100
Logging: All
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 9.1.1.2
SourceAddressPrefix: n/a
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.5
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: ICMPV6(58)
ICMPType: All
ICMPTypeGranularity: n/a
ICMPCode: All
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: ::
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: ::
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTRULE.5
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Permit
Scope: Local
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: ICMPV6(58)
ICMPType: All
ICMPTypeGranularity: n/a
ICMPCode: All
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: ::
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: ::
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:55:04
UpdateTime: 2012/02/14 09:55:04
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTDENYRULE
FilterNameExtension: 1
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTDENYRULE
FilterNameExtension: 2
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: 0.0.0.0
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: 0.0.0.0
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 1
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTDENYRULE
FilterNameExtension: 3
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Outbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: ::
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: ::
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
FilterName: SYSDEFAULTDENYRULE
FilterNameExtension: 4
GroupName: n/a
LocalStartActionName: n/a
VpnActionName: n/a
TunnelID: 0x00
Type: Generic
DefensiveType: n/a
State: Active
Action: Deny
Scope: Both
Direction: Inbound
OnDemand: n/a
SecurityClass: 0
Logging: None
LogLimit: n/a
Protocol: All
ICMPType: n/a
ICMPTypeGranularity: n/a
ICMPCode: n/a
ICMPCodeGranularity: n/a
OSPFType: n/a
TCPQualifier: n/a
ProtocolGranularity: n/a
SourceAddress: ::
SourceAddressPrefix: 0
SourceAddressRange: n/a
SourceAddressGranularity: n/a
SourcePort: n/a
SourcePortRange: n/a
SourcePortGranularity: n/a
DestAddress: ::
DestAddressPrefix: 0
DestAddressRange: n/a
DestAddressGranularity: n/a
DestPort: n/a
DestPortRange: n/a
DestPortGranularity: n/a
OrigRmtConnPort: n/a
RmtIDPayload: n/a
RmtUdpEncapPort: n/a
CreateTime: 2012/02/14 09:44:37
UpdateTime: 2012/02/14 09:44:37
DiscardAction: Silent
MIPv6Type: n/a
MIPv6TypeGranularity: n/a
TypeRange: n/a
CodeRange: n/a
RemoteIdentityType: n/a
RemoteIdentity: n/a
FragmentsOnly: No
FilterMatches: 0
LifetimeExpires: n/a
AssociatedStackCount: n/a
***********************************************************************
14 entries selected
For an IP security-enabled stack, one of the two security policies is always in effect, either the default policy or the IP security policy as defined in Policy Agent. The policy that is in effect at any given time is considered to be the active policy. The source field of the report header for the ipsec -f display command can be used to determine which policy is currently active as follows:
ipsec -f display
CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 09:55:31 2010
Primary: Filter Function: Display Format: Detail
Source: Stack Profile Scope: Current TotAvail: 14
Logging: On Predecap: Off DVIPSec: No
NatKeepAlive: 0 FIPS140: No
Defensive Mode: Inactive
FilterName: SYSDEFAULTRULE.1
FilterNameExtension: 1
Stack Profile indicates that the default IP filter policy is active; Stack Policy would indicate that the IP security policy as defined in Policy Agent is active.
You can also choose which policy is the active policy. The ipsec command provides the ability to switch the active policy between the default IP filter policy in the TCP/IP profile and the IP security policy in Policy Agent. Issuing the ipsec -f default command causes the default policy to become the active policy, while issuing the ipsec -f reload command reloads the IP security policy from Policy Agent, provided that Policy Agent is active and that IP security has been correctly configured.
There are cases in which you might want to switch to the default policy. For instance, in the event of a security breach, the ipsec -f default command allows only the network traffic that has been explicitly coded in the TCP/IP profile IPSEC block, which typically permits only administrative access.
It is important to use the ipsec -f default command with discretion. Issuing ipsec -f default on an operational system can have a dramatic impact and cause packets to be dropped, depending on how the IPSECRULE and IPSEC6RULE entries are coded. Consider the use of ipsec -f default as equivalent to a shutdown, and do not use it in normal circumstances unless the following conditions are true:
Malicious use of network resources can be identified by unusual IP traffic conditions, console messages, or log inspection. Should a security concern arise in a production environment, the following steps should be performed quickly to minimize the impact of potentially restricted flow of IP traffic.