IBM i 系列 / as400 IP 策略 / 防火墙规则

tag-icon tag-icon ibm ibm-midrange ipfilter
IBM i 系列 / as400 IP 策略 / 防火墙规则

我有一台 IBM I 系列 (AS/400),需要接入公共 IP。我想关闭面向互联网的端口,只向外界开放一些端口,并保持内部网络对 ftp、5250 等开放。

我打开了 System i Navigator 并查看了 IP 策略编辑器,但不太确定如何进行此操作。公共 IP 211。.* 刚刚编辑为不显示真实 IP,并且 * 不是通配符。昨天我因为这个错误而将所有人都锁定在 as400 之外,我不太确定我哪里出错了,所以我用这个修改了 - RMVTCPTBL TBL(*IPFTR) 挽救了局面.... 类似于;

#Assign IP Addresses to Names
ADDRESS External_AS400 IP = 211.*.*.* TYPE = BORDER
#Internal lan network address
ADDRESS INTERNAL_AS400 IP = 192.168.1.201 TYPE = TRUSTED
ADDRESS Internal_Lan IP = 192.168.1.0 MASK = 255.255.255.0 TYPE = TRUSTED
#Inbound from Internet rules
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = INTERNAL_AS400   PROTOCOL = TCP   DSTPORT = 22   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = External_AS400   PROTOCOL = TCP   DSTPORT = 22   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = INTERNAL_AS400   PROTOCOL = TCP   DSTPORT = 25   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = External_AS400   PROTOCOL = TCP   DSTPORT = 25   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = INTERNAL_AS400   PROTOCOL = TCP   DSTPORT = 110   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = External_AS400   PROTOCOL = TCP   DSTPORT = 110   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
#Allow local lan access to server
FILTER SET Inbound_AS400    ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = Interal_Lan DSTADDR = INTERNAL_AS400 PROTOCOL = * DSTPORT = * SRCPORT = * FRAGMENTS = * JRN = OFF
FILTER SET Inbound_AS400    ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = Interal_Lan DSTADDR = External_AS400 PROTOCOL = * DSTPORT = * SRCPORT = * FRAGMENTS = * JRN = OFF
#Outbound to Internet Rules
FILTER SET Outbound_AS400   ACTION = PERMIT   DIRECTION = OUTBOUND   SRCADDR = INTERNAL_AS400   DSTADDR = *   PROTOCOL = *   DSTPORT = *   SRCPORT = *   FRAGMENTS = * JRN = OFF
FILTER SET Outbound_AS400   ACTION = PERMIT   DIRECTION = OUTBOUND   SRCADDR = External_AS400   DSTADDR = *   PROTOCOL = *   DSTPORT = *   SRCPORT = *   FRAGMENTS = * JRN = OFF
#Get Out of Jail Free
FILTER SET ALLOWALL ACTION PERMIT DIRECTION = * SRCADDR = * DSTADDR = * PROTOCOL = * DSTPORT = * SRCPORT = * FRAGMENTS = * JRN = OFF
#Allocate FILTER SET to Network INTERFACE
FILTER_INTERFACE   LINE = TCPLIN2   SET = Inbound_AS400
FILTER_INTERFACE   LINE = TCPLIN2   SET = Outbound_AS400
FILTER_INTERFACE   LINE = TCPLIN2   SET = ALLOWALL

答案1

我认为它会造成混淆,因为您将所有规则设置为相同的线路描述 LINE = TCPLIN2。

您知道此系统上有多少个网络适配器吗?WRKHDWRSC TYPE(*CMN) 并检查类型为 5767 且状态为运行的适配器。大多数 iSeries 至少有 2 个。如果您有几个适配器,您可以分配一个用于内部流量,另一个用于外部流量。

您还可以使用硬件管理控制台创建虚拟以太网适配器,再次为外部/内部流量设置一个。使用 2 个适配器可能更容易实现所需的功能。

答案2

抱歉,我不做这种事情。但你不想在物理服务器前面安装硬件防火墙吗?这样你就可以在互联网和服务器之间增加一层保护。

相关内容