The NSS server communicates with NSS clients using the TCP protocol. The NSS server binds to all stacks using either INADDR_ANY or in6addr_any as the IP address. IP filters rules must be defined for any IP security stacks that contain an interface to which the NSS client will connect (for details about configuring the IKE daemon as an NSS client, see IP security). Remote IPSec clients use an ephemeral port when connecting to the NSS server. Ephemeral ports are generally in the range 1024–65355.
Two types of IP filter policy can be defined for a z/OS® stack:
For details about defining default IP filter policy in the TCP/IP profile, see z/OS Communications Server: IP Configuration Reference.
The following default policy contains IPSECRule definitions that allow IPv4 and IPv6 NSS server traffic with NSS clients:
IPSEC LOGENable
; Rule SrcAddr DstAddr Logging Protocol SrcPort DestPort Routing Secclass
; OSPF protocol used by Omproute
IPSECRule * * NOLOG PROTO OSPF
; IGMP protocol used by Omproute
IPSECRule * * NOLOG PROTO 2
; DNS queries to UDP port 53
IPSECRule * * NOLOG PROTO UDP SRCPort * DESTport 53
; Administrative access
IPSECRule * 9.1.1.2 LOG SECCLASS 100
; Network security services (NSS) server access to the NSS client
IPSECRule * * LOG TCP SRCPort 4159 DESTport *
; Network security services (NSS) server access to the NSS client
IPSEC6Rule * * LOG TCP SRCPort 4159 DESTport *
ENDIPSEC
For details about defining IP security policy files, see the Policy Agent and policy applications topic in z/OS Communications Server: IP Configuration Reference.
An example of an IpFilterRule statement for IPv4, an IpFilterRule statement for IPv6, and an IpGenericFilterAction statement that allows NSS clients to communicate with the NSS server is as follows:
IpFilterRule NssTrafficIPv4
{
IpSourceAddr all4
IpDestAddrSet all4
IpService
{
SourcePortRange 4159
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
}
IpGenericFilterActionRef permit-nolog
}
IpFilterRule NssTrafficIPv6
{
IpSourceAddr all6
IpDestAddrSet all6
IpService
{
SourcePortRange 4159
DestinationPortRange 1024 65535
Protocol tcp
Direction bidirectional InboundConnect
Routing local
}
IpGenericFilterActionRef permit-nolog
}
IpGenericFilterAction permit-nolog
{
IpFilterAction permit
IpFilterLogging no
}