The stack-specific IP security configuration file should be tailored to the specific stack to which it belongs. However, as the policy files for IP security are being constructed, a large number of statements can be reused. Reusable statements can be placed in a common file, which is available to all stacks. Statements in the common IP security configuration file are read by all stacks on the system, providing a convenient way to store common definitions that they can all share. If you are operating in a sysplex, you can also place a common IP security configuration file on shared DASD or in a shared z/OS® File System directory so that stacks in a multiple sysplex image have access to the same common configuration file.
Assuming that all statements that might be used later are placed in a common IP security configuration file, the stack-specific IP security configuration file from step 10 now reads as follows:
# IP Security policy for Secure Server
##########################
# IpFilterPolicy block #
##########################
IpFilterPolicy
{
FilterLogging on
IpFilterGroupRef InternalNetZoneA
}
##########################
# Security Zones #
##########################
IpFilterGroup InternalNetZoneA
{
IpFilterRuleRef AdminFTP
IpFilterRuleRef InternalNetWeb
}
##########################
# Filter rules #
##########################
#Allow admin FTP; log traffic
IpFilterRule AdminFTP
{
IpSourceAddrRef InternalNetServerAddress
IpDestAddrRef InternalNetAdminAddress
IpServiceGroupRef FTPServer
IpGenericFilterActionRef permit-log
}
#Allow LAN Web traffic; don't log
IpFilterRule InternalNetWeb
{
IpSourceAddrRef InternalNetServerAddress
IpDestAddrSetRef InternalNet
IpServiceRef WebServer
IpGenericFilterActionRef permit-nolog
}
This stack-specific IP security configuration file references the following reusable statements:
IpFilterRule statements can also be placed in the common IP security configuration file, because some IP filter rules apply to all addresses. If certain IpFilterRule statements are to apply globally to all stacks on the system, they can go into the common file. Use a value of all for the IpSourceAddr and IpDestAddr attributes. For instance, if all stacks on a z/OS system need rules permitting dynamic routing traffic (OSPF or RIP, for example), the statements that define this type of traffic can be placed in the common file and referenced in the stack-specific file:
IpFilterRule AllowOmprouteLocalNolog
{
IpSourceAddr all
IpDestAddr all
IpServiceGroupRef Omproute-local
IpGenericFilterActionRef Permit-nolog
}
IpServiceGroup Omproute-local
{
IpServiceRef OSPF-local
IpServiceRef RIP-local
}
IpService OSPF-local
{
Protocol OSPF
Direction bidirectional
Routing local
}
IpService RIP-local
{
Protocol UDP
SourcePortRange 520
DestinationPortRange 520
Direction bidirectional
Routing local
}
With these definitions in the common IP security configuration file, any stack needing global permission to send and receive routing information merely needs to include the following statement in the IpFilterPolicy block of its stack-specific IP security configuration file:
IpFilterRuleRef AllowOmprouteLocalNolog