× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2012

Re: Outbound port blocking

Careful! While Jim is technically correct I'm not sure you will get the results you desire.

Review: You want to prevent IBM i from using certain port numbers when it connects. That is the SOURCE port number is what you want to block correct? (If you want to block TARGET port numbers then stop reading, Jim's solutions are correct.)

If you implement either the packet filters or an external firewall you WILL stop those ports, that said though you'll encounter no end of problems. If IBM i initiates a Telnet connection for example it will target port 23 but the source port is selected from available ports, lets say it chooses 48052. If that port is open, then the connection is good to go. But if you've created a rule that blocks ports 48000-49000 for example then IBM i will try to connect but won't succeed. It won't know why and your connection is toast. It doesn't say: "Hmmm, let's try port 49052" instead it just fails.

What you really want is to tell IBM i itself to not USE ports 48000-49000. I do seem to recall seeing that is possible but I can't recall and don't have time to research that. I did want you to understand the pitfalls of the proposed solution.

- Larry "DrFranken" Bolhuis

On 2/6/2012 7:48 PM, Albert York wrote:
Thanks Jim.

On Mon, Feb 6, 2012 at 4:40 PM, Jim Oberholtzer<midrangel@xxxxxxxxxx> wrote:
You can use the packet filter on the IBM i instance to stop outbound
packets based on specific port numbers and/or IP addresses Just the
same as a firewall can block outbound transactions.

The only reason the packet filter is not called a firewall is there are
some limitations on the statefulness of the packet filters. IBM chose
not to put any further effort into it realizing that most folks would
use an external firewall.

If you don't like the packet filter idea, a small Cisco 5505 is about
$500 and could easily solve the problem as well.

Packet filter : Already paid for.

Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


On 2/6/2012 6:33 PM, Albert York wrote:
I don't think I was clear in my original statement. I want to block
the iSeries from using certain ports to connect to other servers.

Albert

On Mon, Feb 6, 2012 at 4:20 PM, Jim Oberholtzer<midrangel@xxxxxxxxxx> wrote:
Yes, you can use the Packet Rules. You'll find the rules editor in
System i Navigator, Network, IP Policies, Packet Rules.

Once the rules are there they look deceptively close to many of the
firewall rules you may already be familiar with. You can edit them with
any text editor, including the green screen editor (if your really in
for torture). RDP can edit them as well once you understand the syntax.

Jim Oberholtzer
Chief Technical Architect
Agile Technology Architects


On 2/6/2012 5:36 PM, Albert York wrote:
Is there a way to block certain outgoing ports from the iSeries?
--
--
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.