i5/OS packet rules

Network address translation and IP packet filtering

Network address translation (NAT) changes the source or the destination IP addresses of packets that flow through the system. NAT provides a more transparent alternative to the proxy and SOCKS servers of a firewall. NAT can also simplify network configuration by enabling networks with incompatible addressing structures to connect to each other. Consequently, you can use NAT rules so that an i5/OS operating system can function as a gateway between two networks that have conflicting or incompatible addressing schemes. You can also use NAT to hide the real IP addresses of one network by dynamically substituting one or more addresses for the real ones. Because IP packet filtering and NAT complement each other, you will often use them together to enhance network security.

Using NAT can also make it easier to operate a public Web server behind a firewall. Public IP addresses for the Web server translate to private internal IP addresses. This reduces the number of registered IP addresses that are required and minimizes impacts to the existing network. It also provides a mechanism for internal users to access the Internet while hiding the private internal IP addresses.

IP packet filtering provides the ability to selectively block or protect IP traffic based on information in the packet headers. You can use the Internet Setup Wizard in System i Navigator to quickly and easily configure basic filtering rules to block unwanted network traffic.

You can use IP packet filtering to do the following tasks:

• Create a set of filter rules to specify which IP packets are allowed or denied the access to your network. When you create filter rules, you apply them to a physical interface (for example, a token ring or Ethernet line). You can apply the rules to multiple physical interfaces, or you can apply different rules to each interface.
• Create rules to either permit or deny specific packets that are based on the following header information:
  • Destination IP address
  • Source IP address Protocol (for example, TCP, UDP, and so forth)
  • Destination port (for example, it is port 80 for HTTP)
  • Source port
  • IP datagram direction (inbound or outbound)
  • Forwarded or Local
• Prevent unwanted or unnecessary traffic from reaching applications on the system. Also, you can prevent traffic from forwarding to other systems. This includes low-level Internet Control Message Protocol (ICMP) packets (for example, PING packets) for which no specific application server is required.
• Specify whether a filter rule creates a log entry with information about packets that matches the rule in a system journal. After the information is written to a system journal, you cannot change the log entry. The log is an ideal tool for auditing network activity.

With the packet filter rules, you can protect your computer systems by rejecting or accepting IP packets according to criteria that you define. NAT rules allow you to hide your internal system information from external users by substituting one public IP address for your internal IP address information. Although IP packet filter and NAT rules are core network security technologies, they do not provide the same level of security that a fully functional firewall product does. You should carefully analyze your security needs and objectives when deciding between a complete firewall product and the i5/OS packet rules feature.