IP filtering

The NSS server communicates with NSS clients using the TCP protocol. The NSS server binds to all stacks using either INADDR_ANY or in6addr_any as the IP address. IP filters rules must be defined for any IP security stacks that contain an interface to which the NSS client will connect (for details about configuring the IKE daemon as an NSS client, see IP security). Remote IPSec clients use an ephemeral port when connecting to the NSS server. Ephemeral ports are generally in the range 1024–65355.

Two types of IP filter policy can be defined for a z/OS® stack:

• You can define a default IP filter policy in the TCP/IP profile. Updating default IP filter policy to permit communications between the NSS server and NSS clients is optional. Default IP filter policy is in effect only when IP security filter policy cannot be loaded or when the ipsec -f default command has been issued.

  For details about defining default IP filter policy in the TCP/IP profile, see z/OS Communications Server: IP Configuration Reference.

  The following default policy contains IPSECRule definitions that allow IPv4 and IPv6 NSS server traffic with NSS clients:

  IPSEC LOGENable
  ; Rule      SrcAddr DstAddr   Logging Protocol   SrcPort    DestPort     Routing Secclass
  
  ; OSPF protocol used by Omproute
    IPSECRule *       *         NOLOG   PROTO OSPF
  
  ; IGMP protocol used by Omproute
    IPSECRule *       *         NOLOG   PROTO 2
  
  ; DNS queries to UDP port 53
    IPSECRule *       *         NOLOG   PROTO UDP  SRCPort *  DESTport 53
  
  ; Administrative access
    IPSECRule *       9.1.1.2   LOG                                                SECCLASS 100
  
  ; Network security services (NSS) server access to the NSS client
    IPSECRule *       *         LOG     TCP        SRCPort 4159 DESTport *    
  
  ; Network security services (NSS) server access to the NSS client
    IPSEC6Rule *      *         LOG     TCP        SRCPort 4159 DESTport *  
  
  ENDIPSEC

  Rule: The SRCport value in the filter rules must include the value specified on the port parameter of the NssConfig statement in the NSS server configuration file.
• You can define an IP security filter policy in Policy Agent configuration files. IP security filter policy must be updated to permit communications between the NSS server and NSS clients.

  For details about defining IP security policy files, see the Policy Agent and policy applications topic in z/OS Communications Server: IP Configuration Reference.

  An example of an IpFilterRule statement for IPv4, an IpFilterRule statement for IPv6, and an IpGenericFilterAction statement that allows NSS clients to communicate with the NSS server is as follows:

  IpFilterRule             NssTrafficIPv4
    {
        IpSourceAddr             all4
        IpDestAddrSet            all4
        IpService
        {
           SourcePortRange        4159
           DestinationPortRange   1024 65535
           Protocol               tcp
           Direction              bidirectional InboundConnect
           Routing                local
        }
        IpGenericFilterActionRef  permit-nolog
    }
  
  IpFilterRule             NssTrafficIPv6
    {
       IpSourceAddr             all6
       IpDestAddrSet            all6
       IpService
       {
          SourcePortRange        4159
          DestinationPortRange   1024 65535
          Protocol               tcp
          Direction              bidirectional InboundConnect
          Routing                local
       }
       IpGenericFilterActionRef  permit-nolog
    }
  
  IpGenericFilterAction    permit-nolog
    {  
       IpFilterAction           permit
       IpFilterLogging          no
    }

  Rule: The DestinationPortRange value on the IpService statements must include the value specified on the port parameter of the NssConfig statement in the NSS server configuration file.