DmStackConfig statement

This statement contains the Defense Manager daemon configuration information for a single TCP/IP stack.

Syntax

Read syntax diagramSkip visual syntax diagram
>>-DmStackConfig--stackname------------------------------------->

>--| Braces & Parms on Separate Lines |------------------------><

Braces & Parms on Separate Lines

|--+-{-------------------------------------------+--------------|
   | .-Mode Active--------.                      |   
   +-+--------------------+----------------------+   
   | '-Mode--+-Active---+-'                      |   
   |         +-Simulate-+                        |   
   |         '-Inactive-'                        |   
   | .-MaxLifetime 1440-----.                    |   
   +-+----------------------+--------------------+   
   | '-MaxLifetime lifetime-'                    |   
   | .-DefaultLogLimit 0------.                  |   
   +-+------------------------+------------------+   
   | '-DefaultLogLimit -+-0-+-'                  |   
   |                    '-n-'                    |   
   | .-----------------------------------------. |   
   | V                                         | |   
   +---+-------------------------------------+-+-+   
   |   '-Exclude--+-ipaddress--------------+-'   |   
   |              '-ipaddress/prefixLength-'     |   
   '-}-------------------------------------------'   

Parameters

stackname
The name of the TCP/IP stack that is being configured for defensive filter support. This is a required parameter, and there is no default value.
Mode Active | Simulate | Inactive
Specifies the defensive filter mode for the TCP/IP stack. Possible values are:
Active
When the stack specified by the stackname value is active and configured for IP security, it is managed by the DMD. Each defensive filter applied to that stack operates in the mode specified for the individual defensive filter, either block or simulate. Blocking mode discards packets that match the defensive filter. Simulate mode simulates a block for packets that match the defensive filter. When a packet matches a defensive filter with a simulate mode, a message is logged to indicate that the packet would have been discarded. However, the packet is not discarded and processing continues with IP filtering. For more information about simulate block behavior, see the z/OS Communications Server: IP Configuration Guide. This is the default.
Simulate
When the stack specified by the stackname value is active and configured for IP security, it is managed by the DMD. All defensive filters applied to that stack operate in simulate mode, overriding the mode specified for the individual filters. Simulate mode simulates a block. When a packet matches a defensive filter and the mode is simulate, a message is logged to indicate that the packet would have been discarded. However, the packet is not discarded and processing continues with IP filtering. For more information about simulate block behavior, see the z/OS Communications Server: IP Configuration Guide.

Tip: Simulate mode would typically be used in a test environment.

Inactive
If the stack specified by the stackname value is active and configured for IP security when the DMD starts, all defensive filters are removed from that stack and also from the DMD memory. No new defensive filters are installed in the stack while the mode is set to Inactive.

Tip: Use inactive mode to disable defensive filtering for the stack. If you remove the DmStackConfig statement for the stack from the DMD configuration file, the defensive filters currently installed in the stack are not removed. Without the DmStackConfig statement, you cannot use the z/OS® UNIX ipsec command to delete defensive filters from the stack.

Use the MODIFY DMD,REFRESH command to change this value. You can also use the MODIFY DMD,FORCE_INACTIVE,stackname command to change the mode to Inactive without refreshing the configuration.
Exclude
Specifies an IP address or subnet to exclude from the effects of defensive filters installed in the stack specified by the stackname value. Inbound packets originating from an IP address in the exclusion list are excluded from defensive filter processing. Outbound packets destined to an IP address in the exclusion list are excluded from defensive filter processing.

Tip: Defensive filters are checked before IP security filters. To ensure that an administrator is not blocked by a defensive filter, you can exclude the administrator's IP address from defensive filter processing by specifying the administrator's address on the Exclude statement.

ipaddress
Specifies a single IP address to be excluded from the effects of defensive filters. This value can be an IPv4 or IPv6 address.
ipaddress/prefixLength
Specifies a prefix address specification that indicates the applicable IP addresses to be excluded from the effects of defensive filters. The prefixLength value is the number of unmasked leading bits in the ipaddress value. The prefixLength value can be in the range 0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An IP address matches this exclusion if its unmasked bits are identical to the defined unmasked bits.

There is a limit of 10 Exclude keywords on the DmStackConfig statement.

Use the MODIFY DMD,REFRESH command to change this value. In case of a successful refresh, the new list of exclusion addresses completely replaces the prior list of exclusion addresses.

This is an optional parameter, and there is no default value.

MaxLifetime
Specifies the maximum lifetime of a defensive filter in minutes. This value limits a defensive filter's lifetime when the defensive filter is first added or later updated. Lifetime values that exceed the MaxLifetime value are truncated to MaxLifetime minutes. Existing filters are not affected by a change to the MaxLifetime value that results from a MODIFY DMD,REFRESH operation.
lifetime
Specifies the maximum number of minutes that are allowed for a defensive filter's lifetime. Valid values are in the range 1 - 20160 (2 weeks). The default is 1440 (1 day).
DefaultLogLimit
Specifies the default log limit for defensive filters that are added to this TCP/IP stack. When a defensive filter is added and the loglimit parameter is not specified on the z/OS UNIX ipsec add command, the DefaultLogLimit value will be used. The log limit value is used to enable or disable the limiting of defensive filter match messages (EZD1721I and EZD1722I). See filter-match logging in z/OS Communications Server: IP Configuration Guide for more information.
0
Disables the limiting of defensive filter match messages. If logging is being done for this defensive filter, a message is generated for each packet that matches the defensive filter. 0 is the default.
n
Enables the limiting of defensive filter match messages. Valid values are in the range 1 - 9999. The value limits the average rate of filter-match messages generated in a 5-minute interval for a defensive filter. For example, a value of 100 limits the average rate of filter-match messages to 100 messages per 5-minute interval. A burst of up to 100 messages is allowed while maintaining the long-term average of 100 messages per 5-minute interval.

Result: The DMD installs and manages defensive filters only in TCP/IP stacks that are configured with a DmStackConfig statement in the DMD configuration file.

Parent topic: DMD configuration file statements