Packet filtering
The concept behind packet filtering is to examine each packet for an approved source and destination (that is, application). Packet filtering can be done in routers, but there are known ways to bypass packet filtering in routers by using fragmentation. The most secure implementation is to implement distributed packet filtering in both routers and hosts.
TCP/IP packet filtering firewall support allows
you to define rules to filter inbound packets destined for z/TPF applications.
The packets are filtered based on the source Internet Protocol (IP) address of
the packet, the destination port of the packet, the protocol of the
packet, and the action to take if the packet fits the rule.
Note: Packet filtering rules are
applied to TCP connections started by remote nodes, not to connections
started by z/TPF;
if z/TPF starts
a TCP connection, packet filtering rules are
bypassed.
The packet filtering rules are
defined in a file called
/etc/iprules.txt. To set
up or modify the packet filtering rules, do
the following: - Create or modify the
/etc/iprules.txtfile by doing one of the following:- Use the ZFILE commands to create or update the file directly on your z/TPF system.
- Create or modify the file on another system and use Trivial File Transfer Protocol (TFTP) or File Transfer Protocol (FTP) to transfer the file to the basic subsystem (BSS) of your z/TPF system.
- From the BSS, enter ZFILT REFRESH to
refresh the file and copy it to core storage. The rules take effect
immediately after you enter this command. Note: Information from the packet filtering rules file is also read into core storage during system restart.