On 07-Oct-2016 09:08 -0500, DrFranken wrote:
There is a RMVTCPTBL command. It lets you 'undo' any packet filters.
There is no ADDTCPTBL or ACTTCPTBL or other command I can find to
activate a set of rules.
[…]
The list archives have a note that Bruce Vining was potentially going
to create such a thing but there was no followup noted.
Any ideas how one could activate a packet filter rule set via a
program??
Way too much searching before I found a command interface related to
the topic, but from this web search
(
https://www.google.com/search?q=activate+IP+filtering+rules+%22i3p%22),
I found the following article that may be of some interest.
Not sure *how* I ended up *missing* the "Load/Unload IP Filter"
option from the IBM i 7.3 "Filter Commands" MENU after typing GO CMDFTR,
but I did. That would have been a much less convoluted path :-) The VPN
stuff is included in the quoted text per the "title" of the article not
including any note of IP Filtering PacketRules, and that the example
command invocation specifies Include VPN Rules (INCVPN), but is
apparently specifically *activating* the IP Filtering as the base-action
of that command -- the mnemonics imply a *load* anyhow. Perhaps the
omission from the title was purposeful, because there is no conspicuous
indication that there is anything _new_ outside of iNav that is there to
help create the .i3p file. But if such a file already exists, or how to
create one is already known, then:
["IBM i 7.1 and 7.2 VPN Enhancements"|Oct-2014|by Ashley Good]
(
http://www.ibmsystemsmag.com/ibmi/administrator/networks/i71-i72-vpn-enhancements/)
"…
Filter Rules and VPN Commands
Four new commands are provided in IBM i 7.2 to assist clients with VPN
configuration and management actions previously only possible through
Navigator.
The Load/Unload IP Filter (LODIPFTR) command is used to load and unload
Internet protocol (IP) filter rules. LODIPFTR gives the user the option
to include the VPN rules with the INCVPN(*YES) parameter. The VPN rules
included in the load or unload are the rules that reside in
/QIBM/UserData/OS400/TCPIP/OPNAVRULES/VPNPOLICYFILTERS.I3P and are
generated by Navigator.
This example shows the command to load filter rules on all interfaces,
including VPN rules:
LODIPFTR OPTION(*LOAD) LIND(*ALL)
STMF('/QIBM/UserData/OS400/TCPIP/PacketRules/test.i3p')
INCVPN(*YES)
The Copy VPN Configuration File (CPYVPNCFGF) command provides new
functionality to import, export or validate all VPN configurations on a
system. When used to import, all of the current VPN connections on the
system, except the IBM Universal Connection Wizard (UCW) connections
QVPN01IBM1 and QVPN01IBM2, are deleted and replaced with the imported
configuration. It cannot be used to import or export individual
connections. Importing the VPN configuration file with CPYVPNCFGF does
not import the filter rules. The filter rules need to be re-created to
be used with the imported connections.
…"
So apparently still quite dependent upon iNav, but, I infer that the
file /QIBM/ProdData/OS400/TCPIP/PacketRules/Template4PacketRules.tcpipml
created with the XML that the wizard(s) generate [or generated by
another means] will be converted into the .i3p file by the so-called
"Filter Rule Activate API" from the text of APAR SE29067 -- so if you
can find out what objects shipped with either of the following PTFs,
maybe that will reveal the so-called "API"?:
v5r3m0 R530 SI27713 cNone
v5r4m0 R540 SI27703 c7282540
FWiW, I did not look to see if there is an updated version of the
following document that might include reference to the above Load/Unload
IP Filter (LODIPFTR) command, but the following document will show
something about the Stream Files and locations [and ownership\authority]
requirements, among other things;
[Networking IP filtering and network address translation]
(
https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_72/rzajb/rzajbpdf.pdf)
midrange.com
