Explanation
A defensive filter is added to the TCP/IP stack.
In
the message text:
- date
- The date on which the defensive filter was added to the stack.
This date is retrieved from the system time-of-day clock, which usually
reflects coordinated universal time (UTC). This timestamp might be
different than the syslogd message timestamp.
- time
- The time at which the defensive filter was added to the stack.
This time is retrieved from the system time-of-day clock, which usually
reflects coordinated universal time (UTC). This timestamp might be
different than the syslogd message timestamp.
- rulename
- The defensive filter rule name as specified on the -N option when
the defensive filter was added with the z/OS® UNIX ipsec command.
- instance
- The rule name extension.
- sipaddr / sip_prefix_length
- The source IP address specification for the defensive filter rule.
The value 0.0.0.0/0 indicates that the defensive filter rule applies
to all source IPv4 addresses. The value ::/0 indicates that the defensive
filter rule applies to all source IPv6 addresses.
- dipaddr / dip_prefix_length
- The destination IP address specification for the defensive filter
rule. The value 0.0.0.0/0 indicates that the defensive filter rule
applies to all destination IPv4 addresses. The value ::/0 indicates
that the defensive filter rule applies to all destination IPv6 addresses.
- proto
- The protocol specification for the defensive filter rule. Possible
values are:
- ICMP(1)
- IGMP(2)
- IP(4)
- TCP(6)
- UDP(17)
- ESP(50)
- AH(51)
- ICMPv6(58)
- OSPF(89)
- IPIP(94)
- MIPv6(135)
- The protocol number
- ALL
- tag1
- The tag1 value varies depending on the proto value.
- If the proto value is ICMP or ICMPv6, the tag1 value
is type= followed by the ICMP or ICMPv6 type, or followed
by the value all.
- If the proto value is TCP or UDP, the tag1 value
is sport= followed by the source por range. For example, sport=
1024-65535. For a defensive filter that applies to
all source ports the tag1 value is sport= 1-65535.
- If the proto value is any value not previously
mentioned, the tag1 value is -= which indicates
that the data is not applicable.
- tag2
- The tag2 value varies depending on the protocol.
- If the proto value is ICMP or ICMPv6,
the tag2 value is code= followed by the
ICMP or ICMPv6 code, or followed by the value all.
- If the proto value is TCP or UDP, the tag2 value
is dport= followed by the destination port range. For example, dport=
21-21. For a defensive filter that applies to all
destination ports, the tag2 value is dport=
1-65535.
- If the proto value is any value not previously
mentioned, the tag2 value is -= which indicates
that the data is not applicable.
- fragments_only
- Possible values are:
- yes
- The defensive filter rule applies only to fragments.
- no
- The defensive filter rule does not apply only to fragments.
- dir
- The direction specified for the defensive filter rule. Possible
values are inbound and outbound.
- routing
- The routing specified for the defensive filter rule. Possible
values are local, routed, and either.
- mode
- The defensive filtering mode specified for the defensive filter
rule. Possible values are block and simulate.
- log
- The log specified for the defensive filter rule. Possible values
are yes and no. If the mode value is Simulate,
the log value is not applicable and logging is
always performed.
- lifetime
- The lifetime of the defensive filter rule in minutes.
- userid
- The user ID of the user who added the defensive filter rule.
- global_setting
- Possible values are:
- yes
- The defensive filter rule was created as a global filter rule.
- no
- The defensive filter rule was created as a stack-specific filter
rule.
- loglimit
- The limit on the number of filter-match messages generated for
this filter in a 5-minute interval. A value of 0 indicates that there
is no limit.
System action
TCP/IP processing continues.
Operator response
System programmer response
User response
Problem determination
Source
z/OS Communications
Server TCP/IP: TRMD
Module
Routing code
Not applicable for syslog message.
Descriptor code
Not applicable for syslog message.
Automation
Example
EZD1723I Defensive filter added: 07/11/2012 23:40:08.78 filter rule= Block_192.30.30.30.0/24 ext= 1
sipaddr= 192.30.30.0 / 24 dipaddr= 0.0.0.0 / 0 proto= tcp(6) sport= 1024 - 65535 dport= 21 - 21
fragmentsonly= no dir= inbound routing= local mode= block log= yes lifetime= 30 userid= USER1
global= no loglimit= 100