Using a common IP security configuration file for reusable statements

The stack-specific IP security configuration file should be tailored to the specific stack to which it belongs. However, as the policy files for IP security are being constructed, a large number of statements can be reused. Reusable statements can be placed in a common file, which is available to all stacks. Statements in the common IP security configuration file are read by all stacks on the system, providing a convenient way to store common definitions that they can all share. If you are operating in a sysplex, you can also place a common IP security configuration file on shared DASD or in a shared z/OS® File System directory so that stacks in a multiple sysplex image have access to the same common configuration file.

Assuming that all statements that might be used later are placed in a common IP security configuration file, the stack-specific IP security configuration file from step 10 now reads as follows:

# IP Security policy for Secure Server
##########################
# IpFilterPolicy block   #
##########################
IpFilterPolicy
{
   FilterLogging            on
   IpFilterGroupRef     InternalNetZoneA
}

##########################
# Security Zones         #
##########################
IpFilterGroup     InternalNetZoneA
{
   IpFilterRuleRef    AdminFTP
   IpFilterRuleRef    InternalNetWeb
}

##########################
# Filter rules           #
##########################
#Allow admin FTP; log traffic
IpFilterRule                 AdminFTP
{
   IpSourceAddrRef           InternalNetServerAddress
   IpDestAddrRef             InternalNetAdminAddress
   IpServiceGroupRef         FTPServer
   IpGenericFilterActionRef  permit-log
}

#Allow LAN Web traffic; don't log
IpFilterRule                 InternalNetWeb
{
   IpSourceAddrRef           InternalNetServerAddress
   IpDestAddrSetRef          InternalNet
   IpServiceRef              WebServer
   IpGenericFilterActionRef  permit-nolog
}

This stack-specific IP security configuration file references the following reusable statements:

IpFilterRule statements can also be placed in the common IP security configuration file, because some IP filter rules apply to all addresses. If certain IpFilterRule statements are to apply globally to all stacks on the system, they can go into the common file. Use a value of all for the IpSourceAddr and IpDestAddr attributes. For instance, if all stacks on a z/OS system need rules permitting dynamic routing traffic (OSPF or RIP, for example), the statements that define this type of traffic can be placed in the common file and referenced in the stack-specific file:

IpFilterRule                   AllowOmprouteLocalNolog
{
  IpSourceAddr                 all
  IpDestAddr                   all
  IpServiceGroupRef            Omproute-local
  IpGenericFilterActionRef     Permit-nolog
}

IpServiceGroup                 Omproute-local
{
  IpServiceRef                 OSPF-local
  IpServiceRef                 RIP-local
}

IpService                      OSPF-local
{
  Protocol                     OSPF
  Direction                    bidirectional
  Routing                      local
}

IpService                      RIP-local
{
  Protocol                     UDP
  SourcePortRange              520
  DestinationPortRange         520
  Direction                    bidirectional
  Routing                      local
}

With these definitions in the common IP security configuration file, any stack needing global permission to send and receive routing information merely needs to include the following statement in the IpFilterPolicy block of its stack-specific IP security configuration file:

IpFilterRuleRef  AllowOmprouteLocalNolog
Parent topic: Steps for configuring the trusted internal network model (simple IP filtering)