This
statement contains the Defense Manager daemon configuration information
for a single TCP/IP stack.
Syntax
>>-DmStackConfig--stackname------------------------------------->
>--| Braces & Parms on Separate Lines |------------------------><
Braces & Parms on Separate Lines
|--+-{-------------------------------------------+--------------|
| .-Mode Active--------. |
+-+--------------------+----------------------+
| '-Mode--+-Active---+-' |
| +-Simulate-+ |
| '-Inactive-' |
| .-MaxLifetime 1440-----. |
+-+----------------------+--------------------+
| '-MaxLifetime lifetime-' |
| .-DefaultLogLimit 0------. |
+-+------------------------+------------------+
| '-DefaultLogLimit -+-0-+-' |
| '-n-' |
| .-----------------------------------------. |
| V | |
+---+-------------------------------------+-+-+
| '-Exclude--+-ipaddress--------------+-' |
| '-ipaddress/prefixLength-' |
'-}-------------------------------------------'
Parameters
- stackname
- The name of the TCP/IP stack that is being configured for defensive
filter support. This is a required parameter, and there is no default
value.
- Mode Active | Simulate | Inactive
- Specifies the defensive filter mode for the TCP/IP stack. Possible
values are:
- Active
- When the stack specified by the stackname value
is active and configured for IP security, it is managed by the DMD.
Each defensive filter applied to that stack operates in the mode
specified for the individual defensive filter, either block or simulate.
Blocking mode discards packets that match the defensive filter.
Simulate mode simulates a block for packets that match the defensive
filter. When a packet matches a defensive filter with a simulate
mode, a message is logged to indicate that the packet would have been
discarded. However, the packet is not discarded and processing continues
with IP filtering. For more information about simulate block behavior,
see the z/OS Communications Server: IP Configuration
Guide. This is the default.
- Simulate
- When the stack specified by the stackname value
is active and configured for IP security, it is managed by the DMD.
All defensive filters applied to that stack operate in simulate mode,
overriding the mode specified for the individual filters. Simulate
mode simulates a block. When a packet matches a defensive filter
and the mode is simulate, a message is logged to indicate that the
packet would have been discarded. However, the packet is not discarded
and processing continues with IP filtering. For more information
about simulate block behavior, see the z/OS Communications Server: IP Configuration
Guide.
Tip: Simulate mode would typically
be used in a test environment.
- Inactive
- If the stack specified by the stackname value
is active and configured for IP security when the DMD starts, all
defensive filters are removed from that stack and also from the DMD
memory. No new defensive filters are installed in the stack while
the mode is set to Inactive.
Tip: Use inactive mode to disable
defensive filtering for the stack. If you remove the DmStackConfig
statement for the stack from the DMD configuration file, the defensive
filters currently installed in the stack are not removed. Without
the DmStackConfig statement, you cannot use the z/OS® UNIX ipsec command
to delete defensive filters from the stack.
Use the MODIFY DMD,REFRESH command to change this value.
You can also use the MODIFY DMD,FORCE_INACTIVE,stackname command
to change the mode to Inactive without refreshing the configuration.
- Exclude
- Specifies an IP address or subnet to exclude from the effects
of defensive filters installed in the stack specified by the stackname value.
Inbound packets originating from an IP address in the exclusion list
are excluded from defensive filter processing. Outbound packets destined
to an IP address in the exclusion list are excluded from defensive
filter processing.
Tip: Defensive filters are checked before
IP security filters. To ensure that an administrator is not blocked
by a defensive filter, you can exclude the administrator's IP address
from defensive filter processing by specifying the administrator's
address on the Exclude statement.
- ipaddress
- Specifies a single IP address to be excluded from the effects
of defensive filters. This value can be an IPv4 or IPv6 address.
- ipaddress/prefixLength
- Specifies a prefix address specification that indicates the applicable
IP addresses to be excluded from the effects of defensive filters.
The prefixLength value is the number of
unmasked leading bits in the ipaddress value.
The prefixLength value can be in the range
0 - 32 for IPv4 addresses and 0 - 128 for IPv6 addresses. An IP address
matches this exclusion if its unmasked bits are identical to the defined
unmasked bits.
There is a limit of 10 Exclude keywords on the DmStackConfig
statement.
Use the MODIFY DMD,REFRESH command to change this
value. In case of a successful refresh, the new list of exclusion
addresses completely replaces the prior list of exclusion addresses.
This
is an optional parameter, and there is no default value.
- MaxLifetime
- Specifies the maximum lifetime of a defensive filter in minutes.
This value limits a defensive filter's lifetime when the defensive
filter is first added or later updated. Lifetime values that exceed
the MaxLifetime value are truncated to MaxLifetime minutes. Existing
filters are not affected by a change to the MaxLifetime value that
results from a MODIFY DMD,REFRESH operation.
- lifetime
- Specifies the maximum number of minutes that are allowed for a
defensive filter's lifetime. Valid values are in the range 1 - 20160
(2 weeks). The default is 1440 (1 day).
- DefaultLogLimit
- Specifies the default log limit for defensive filters that are
added to this TCP/IP stack. When a defensive filter is added and the
loglimit parameter is not specified on the z/OS UNIX ipsec add
command, the DefaultLogLimit value will be used. The log limit value
is used to enable or disable the limiting of defensive filter match
messages (EZD1721I and EZD1722I). See filter-match
logging in z/OS Communications Server: IP Configuration
Guide for more information.
- 0
- Disables the limiting of defensive filter match messages. If logging
is being done for this defensive filter, a message is generated for
each packet that matches the defensive filter. 0 is the default.
- n
- Enables the limiting of defensive filter match messages. Valid
values are in the range 1 - 9999. The value limits the average rate
of filter-match messages generated in a 5-minute interval for a defensive
filter. For example, a value of 100 limits the average rate of filter-match
messages to 100 messages per 5-minute interval. A burst of up to 100
messages is allowed while maintaining the long-term average of 100
messages per 5-minute interval.
Result: The DMD installs and manages
defensive filters only in TCP/IP stacks that are configured with a
DmStackConfig statement in the DMD configuration file.