× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. July 2007

Re: IP polices -> packet rules....

Richard & Marty,


Logged in console and then through the iSeries navigator created the rule to
restrict our one of internal address.

It was verified and then activated. Then I had worst experience.

1. we have our own application and it started firing ODBC
error from different IP address.
2. then I tried to login in iSeries navigator and it kicked me
out saying that CWBC01048.
3. called up IBM for the support then he asked me to login
from my PC using telnet.
4. tried telnet without success.
5. found that even console is blank.
6. we were forced to reboot the server
7. system was up and console was only accessable.
8. Then did RMVTCPTBLE then we were able to access through
Client Access.
9. Tried to find in history logs, SST with out success for
root cause.


Thanks
Bob


----- Original Message ----
From: "Urbanek, Marty" <Marty_Urbanek@xxxxxxxxxxxx>
To: midrange-l@xxxxxxxxxxxx
Sent: Tuesday, July 10, 2007 1:45:29 PM
Subject: RE: IP polices -> packet rules....


Bob,

Below is a packet rule I used to black all traffic from a specific IP
address within our network that was causing trouble, let's say
10.10.10.10. That rule worked on V5R3 and I don't know if there have
been syntax changes between releases. This was used with a single TCP/IP
interface on an ethernet line named ETHLIN.

In case the formatting gets all messed up, the filter text below is
supposed to chow three lines, each beginning with "FILTER".

USE IT AT YOUR OWN RISK and like Richard said, keep a console handy and
the command to deactivate the rules! This stuff can really knock you
dead in the water (found that out the hard way). The second line is very
important because you want to permit other traffic and if you don't,
everything will be blocked!

-Marty

===== start of filter text

FILTER SET x ACTION = DENY DIRECTION = INBOUND SRCADDR =
10.10.10.10 DSTADDR = * PROTOCOL = * DSTPORT = * SRCPORT = *
JRN = OFF

FILTER SET ALL ACTION = PERMIT DIRECTION = * SRCADDR = * DSTADDR
= * PROTOCOL = * DSTPORT = * SRCPORT = * JRN = OFF

FILTER_INTERFACE LINE = ETHLIN SET = x, ALL

===== end of filter text

-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx]On Behalf Of Bob David
Sent: Tuesday, July 10, 2007 11:19 AM
To: MIDRANGE-L@xxxxxxxxxxxx
Subject: IP polices -> packet rules....


List,

I am planning to create a packet rule to restrict particular ip address.
Using bellow.

In iSeries? Navigator, select your server ??> Network ??> IP policies
??> Packet rules.

My question is does this require TCP service should be bring down prior
to the rule activation?

Any idea on this rules createion/modification?



Thanks
Bob


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.