z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


EZD1723I

z/OS Communications Server: IP Messages Volume 2 (EZB, EZD)
SC27-3655-01

EZD1723I
Defensive filter added: date time filter rule= rulename ext= instance sipaddr= sipaddr / sip_prefix_length dipaddr= dipaddr / dip_prefix_length proto= proto tag1 tag2 fragmentsonly= fragments_only dir= dir routing= routing mode= mode log= log lifetime= lifetime userid= userid global= global_setting loglimit= loglimit

Explanation

A defensive filter is added to the TCP/IP stack.

In the message text:
date
The date on which the defensive filter was added to the stack. This date is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp.
time
The time at which the defensive filter was added to the stack. This time is retrieved from the system time-of-day clock, which usually reflects coordinated universal time (UTC). This timestamp might be different than the syslogd message timestamp.
rulename
The defensive filter rule name as specified on the -N option when the defensive filter was added with the z/OS® UNIX ipsec command.
instance
The rule name extension.
sipaddr / sip_prefix_length
The source IP address specification for the defensive filter rule. The value 0.0.0.0/0 indicates that the defensive filter rule applies to all source IPv4 addresses. The value ::/0 indicates that the defensive filter rule applies to all source IPv6 addresses.
dipaddr / dip_prefix_length
The destination IP address specification for the defensive filter rule. The value 0.0.0.0/0 indicates that the defensive filter rule applies to all destination IPv4 addresses. The value ::/0 indicates that the defensive filter rule applies to all destination IPv6 addresses.
proto
The protocol specification for the defensive filter rule. Possible values are:
  • ICMP(1)
  • IGMP(2)
  • IP(4)
  • TCP(6)
  • UDP(17)
  • ESP(50)
  • AH(51)
  • ICMPv6(58)
  • OSPF(89)
  • IPIP(94)
  • MIPv6(135)
  • The protocol number
  • ALL
tag1
The tag1 value varies depending on the proto value.
  • If the proto value is ICMP or ICMPv6, the tag1 value is type= followed by the ICMP or ICMPv6 type, or followed by the value all.
  • If the proto value is TCP or UDP, the tag1 value is sport= followed by the source por range. For example, sport= 1024-65535. For a defensive filter that applies to all source ports the tag1 value is sport= 1-65535.
  • If the proto value is any value not previously mentioned, the tag1 value is -= which indicates that the data is not applicable.
tag2
The tag2 value varies depending on the protocol.
  • If the proto value is ICMP or ICMPv6, the tag2 value is code= followed by the ICMP or ICMPv6 code, or followed by the value all.
  • If the proto value is TCP or UDP, the tag2 value is dport= followed by the destination port range. For example, dport= 21-21. For a defensive filter that applies to all destination ports, the tag2 value is dport= 1-65535.
  • If the proto value is any value not previously mentioned, the tag2 value is -= which indicates that the data is not applicable.
fragments_only
Possible values are:
yes
The defensive filter rule applies only to fragments.
no
The defensive filter rule does not apply only to fragments.
dir
The direction specified for the defensive filter rule. Possible values are inbound and outbound.
routing
The routing specified for the defensive filter rule. Possible values are local, routed, and either.
mode
The defensive filtering mode specified for the defensive filter rule. Possible values are block and simulate.
log
The log specified for the defensive filter rule. Possible values are yes and no. If the mode value is Simulate, the log value is not applicable and logging is always performed.
lifetime
The lifetime of the defensive filter rule in minutes.
userid
The user ID of the user who added the defensive filter rule.
global_setting
Possible values are:
yes
The defensive filter rule was created as a global filter rule.
no
The defensive filter rule was created as a stack-specific filter rule.
loglimit
The limit on the number of filter-match messages generated for this filter in a 5-minute interval. A value of 0 indicates that there is no limit.

System action

TCP/IP processing continues.

Operator response

No action needed.

System programmer response

No action needed.

User response

Not applicable.

Problem determination

Not applicable.

Source

z/OS Communications Server TCP/IP: TRMD

Module

EZATRZOS

Routing code

Not applicable for syslog message.

Descriptor code

Not applicable for syslog message.

Automation

Not applicable.

Example

EZD1723I Defensive filter added: 07/11/2012 23:40:08.78 filter rule=  Block_192.30.30.30.0/24 ext= 1 
         sipaddr= 192.30.30.0 / 24 dipaddr= 0.0.0.0 / 0  proto= tcp(6) sport= 1024 - 65535 dport= 21 - 21 
         fragmentsonly= no dir= inbound  routing= local mode= block log= yes lifetime= 30 userid= USER1 
         global= no loglimit= 100
Parent topic: EZD1xxxx messages

Go to the previous page Go to the next page

Notices | Terms of use | Support | Contact z/OS | zFavorites



Copyright IBM Corporation 1990, 2014