EZD0815I

Explanation
 An IP packet matched the indicated deny filter
rule.  For this message to be  written, the matched filter rule must
have IpFilterLogging set to yes. 
 timestamp is
the stack timestamp that indicates the time at which the IP packet
was processed by the stack. This time is retrieved from the system
time-of-day clock, which usually reflects coordinated universal time
(UTC).   This timestamp might be different than the syslogd message
timestamp. 
 rulename is the filter rule
name.  If the IP packet matched a dynamic filter  rule, the rule name
of the corresponding anchor filter rule will be displayed;  otherwise,
the rule name of the matching filter rule will be displayed.      In the policy agent configuration file, rulename is
the name specified on the IpFilterRule statement.
When configured with the IBM® Configuration
Assistant for z/OS® Communications
Server, rulename corresponds to the name of a Connectivity
Rule in the GUI.  rulename also contains a suffix
appended to the Connectivity Rule name to guarantee uniqueness.  

 instance is the rule name extension
that indicates which instance of the rule  name was matched. 
 sipaddr is
the source IP address. 
 dipaddr is the destination
IP address.  
 proto is the protocol of the
packet.   Possible  values are:  ICMP(1)
IGMP(2)
IP(4)
TCP(6)
UDP(17)
ESP(50)
AH(51)
ICMPv6(58)
OSPF(89)
MIPv6(135)
IPIP(94)
Unknown
The protocol number

 The tag1 value varies depending  on
the proto value. If the proto value is ICMP or ICMPv6, the tag1 value
is  type=  followed by the  ICMP or ICMPv6 type, or followed
by the value Unknown if the ICMP header is not present
in the packet as the result of fragmentation.
If the proto value is TCP or  UDP, the tag1 value
is sport= followed by the  source port, or followed by the
value Unknown if the TCP or UDP header is not present
in the packet as the result of fragmentation.
If the proto value is OSPF, the tag1 value
is  type= followed by the type, or followed by the value Unknown if
the OSPF header is not present in the packet as the result of fragmentation.
If the proto value is MIPv6, the tag1 value
is type= followed by the type, or followed by the value Unknown if
the MIPv6 header is not present in the packet as the result of fragmentation.
If the proto value is any value not previously
mentioned, the tag1 value is -= which indicates
that the data is not applicable.

 tag2  value varies depending  on the proto value.
 If the proto value is ICMP or ICMPv6, the tag2 value
is code=  followed by the  ICMP or ICMPv6 code, or followed
by the value Unknown if the ICMP header is not present
in the packet as the result of fragmentation.
If the proto value is TCP or  UDP, the tag2 value
is dport= followed by the  destination port, or followed by
the value Unknown if the TCP or UDP header is not
present in the packet as the result of fragmentation.
If the proto value is any value not previously
mentioned, the tag2 value is -= which indicates
that the data is not applicable.     

 tag3  value varies depending  on the proto value
and direction.     If the proto value is TCP or  UDP, the direction
is inbound, and the port has been  translated by the CommServer NAT
Traversal  function, the tag3 value is origport= 
followed by the original  source port.   
If the proto value is TCP or  UDP, the direction
is outbound, and the port has  been translated by the CommServer NAT
Traversal  function, the tag3 value is origport= followed
by the original  destination port.   
If the proto value is any value not previously
mentioned, the tag3 value is -= which indicates
that the data is not applicable.

 ifcaddr is the interface address over
which the packet was received or sent. 
 dir is I if
packet is inbound, O if packet is outbound. 
 secclass is
the security class assigned to the interface.  Security class is a
 numeric value in the range of 0–255.
 dest is local if
a local destination  or routed if being routed. 
 len is
the packet length. 
 vpnaction is the vpnaction
name.  If no tunnel is associated with the matched filter, vpnaction displays N/A.
 In the policy agent configuration file, the vpnaction value
is one of the following: If  the tunnel is a manual tunnel, vpnaction is
the name specified on the  IpManVpnAction statement.   
If the tunnel is a dynamic tunnel,  vpnaction is
the  name specified on the IpDynVpnAction statement.  

When configured with the IBM Configuration
Assistant for z/OS Communications
Server, the vpnaction name corresponds to the name
of the security level in the GUI.  The vpnaction name
also contains a suffix appended to the security level name  to guarantee
uniqueness.  

 ifcname is the interface name
 tunID is
the tunnel ID.
 frag specifies whether the
packet is a fragment.  The value is Y if the packet
is a fragment, or N if the packet is not a fragment.

System action
 TCP/IP processing continues.

Operator response
 None.

System programmer response
 None.

User response
 Not applicable.

Problem determination
 Not applicable.

Source
 z/OS Communications
Server TCP/IP: TRMD

Module
 EZATRMD

Routing code
 Not applicable.

Descriptor code
 Not applicable.

Automation
 Not applicable.

Example
  EZD0815I Packet denied by policy: 07/05/2007 16:19:44.39 filter rule= deny-2 ext= 1 sipaddr= 9.42.130.185 
         dipaddr= 10.1.1.1 proto= tcp(6) sport= 1026 dport= 80 -= Interface= 9.1.1.1 (I) secclass= 255 
         dest= local len= 284 vpnaction= N/A tunnelID= N/A ifcname= TRLE1AL fragment= N