Diana,
You can't include something like 162.56.*.* in your FILTER line, but you can
achieve the same result by using the ADDRESS keyword.
ADDRESS net16256 IP = 162.56.0.0 THROUGH 162.56.255.255
FILTER SET TestFilter ACTION = PERMIT DIRECTION =- INBOUND SRCADDR =
net16256 DSTADDR = * PROTOCOL = * DSTPORT = * SRCPORT = *
The "net16256" in the FILTER line points to the IP address range specified
in the ADDRESS line.
Also, I second Larry's recommendation of the rescue command (RMVTCPTBL) and
a non TCP/IP terminal to be able to run it on. Packet filters are quite
effective at locking everybody out! Been there, done that!
Hope this helps!
Richard Casey
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[
mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Diana Hicks
Sent: Tuesday, July 10, 2007 4:12 PM
To: MIDRANGE-L@xxxxxxxxxxxx
Subject: RE: Denying TCP connections based on IP
Charles and Larry,
Thanks to both of you for the information on the IP filter in Packet
Rules. I have researched the documentation in the link and in iNav
help. The sample filter statements seemed to have the primary
information that I need for the syntax. The only question I have is can
the SRCADDR = parameter have a value of 162.56.*.* to allow all IP
address that begin with 162.56 and therefore default to deny all other
addresses that do not begin with 162.56.
For example:
FILTER SET TestFilter ACTION = PERMIT DIRECTION = INBOUND SRCADDR =
162.56.*.* DSTADDR = * PROTOCOL = * DSTPORT =* SRCPORT = *
If you have any other recommendations for documentation on the syntax,
please let me know. Larry, I hope I don't need your rescue command but
I am really glad that you provided it just in case. Thanks again.
Diana Hicks
Town of Jupiter
-----Original Message-----
date: Mon, 9 Jul 2007 08:25:23 -0400
from: "Wilt, Charles" <WiltC@xxxxxxxxxx>
subject: RE: Denying TCP connections based on IP
Diana,
You don't mention what version of OS/400 you're on.
But OS/400 does include an IP packet filter you can turn on to do
exactly what you are requesting.
http://publib.boulder.ibm.com/infocenter/iseries/v5r4/topic/rzajb/rzajbr
zajb0ippacketsecuritysd.htm
HTH,
Charles
date: Mon, 09 Jul 2007 09:08:25 -0400
from: Larry Bolhuis <lbolhuis@xxxxxxxxxx>
subject: Re: Denying TCP connections based on IP
What you want is Packet Filters.
Open iNav then navigate down to Network -> IP Policies -> Packet Rules
Rules can be places on any or all interfaces into your system.
There is an editor there and a wizard. Do not play here if you don't
know IP addressing and subnet masks!!
But remember the 'Foghorn Leghorn' ("Fortunately I keep my feathers
numbered for just such an Emergency!") command: RMVTCPTBL *ALL.. This
is entered on the console when you activate a packet rule that
disconnects all your iNav functions so that you can't fix them! The
command doesn't delete them simply de-activates them so you can get back
in and fix them. Don't ask how I know this command. :-)
- Larry
PLEASE NOTE: Florida has a very broad public records law. Most written
communications to or from the Town of Jupiter officials and employees
regarding public business are public records available to the public and
media upon request. Your e-mail communications may be subject to public
disclosure. Under Florida law, e-mail addresses are public records. If you
do not want your e-mail address released in response to a public records
request, do not send electronic mail to this entity. Instead, contact this
office by phone or in writing. The views expressed in this message may not
necessarily reflect those of the Town of Jupiter. If you have received this
message in error, please notify us immediately by replying to this message,
and please delete it from your computer. Thank you.
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.10.2/893 - Release Date: 7/9/2007
5:22 PM
midrange.com
