ibm i series / as400 ip policies / firewall rules

Question

I have an IBM I series (AS/400) that needs to go onto a public ip. I would like to shut the internet facing ports down and only open some ports to the outside world and keep the internal network open for ftp, 5250 etc.

I have System i Navigator open and looking at the IP Policies editor and not entirely sure on how to go about this.Public ip 211...* just edited to not show the real ip and *'s are not wildcards. I locked everybody out of the as400 yesterday by getting this wrong and not quite sure on how I went wrong so have amended with this - RMVTCPTBL TBL(*IPFTR) saved the day.... Something like;

#Assign IP Addresses to Names
ADDRESS External_AS400 IP = 211.*.*.* TYPE = BORDER
#Internal lan network address
ADDRESS INTERNAL_AS400 IP = 192.168.1.201 TYPE = TRUSTED
ADDRESS Internal_Lan IP = 192.168.1.0 MASK = 255.255.255.0 TYPE = TRUSTED
#Inbound from Internet rules
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = INTERNAL_AS400   PROTOCOL = TCP   DSTPORT = 22   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = External_AS400   PROTOCOL = TCP   DSTPORT = 22   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = INTERNAL_AS400   PROTOCOL = TCP   DSTPORT = 25   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = External_AS400   PROTOCOL = TCP   DSTPORT = 25   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = INTERNAL_AS400   PROTOCOL = TCP   DSTPORT = 110   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
FILTER SET Inbound_AS400   ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = *   DSTADDR = External_AS400   PROTOCOL = TCP   DSTPORT = 110   SRCPORT = *   FRAGMENTS = NONE JRN = OFF
#Allow local lan access to server
FILTER SET Inbound_AS400    ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = Interal_Lan DSTADDR = INTERNAL_AS400 PROTOCOL = * DSTPORT = * SRCPORT = * FRAGMENTS = * JRN = OFF
FILTER SET Inbound_AS400    ACTION = PERMIT   DIRECTION = INBOUND   SRCADDR = Interal_Lan DSTADDR = External_AS400 PROTOCOL = * DSTPORT = * SRCPORT = * FRAGMENTS = * JRN = OFF
#Outbound to Internet Rules
FILTER SET Outbound_AS400   ACTION = PERMIT   DIRECTION = OUTBOUND   SRCADDR = INTERNAL_AS400   DSTADDR = *   PROTOCOL = *   DSTPORT = *   SRCPORT = *   FRAGMENTS = * JRN = OFF
FILTER SET Outbound_AS400   ACTION = PERMIT   DIRECTION = OUTBOUND   SRCADDR = External_AS400   DSTADDR = *   PROTOCOL = *   DSTPORT = *   SRCPORT = *   FRAGMENTS = * JRN = OFF
#Get Out of Jail Free
FILTER SET ALLOWALL ACTION PERMIT DIRECTION = * SRCADDR = * DSTADDR = * PROTOCOL = * DSTPORT = * SRCPORT = * FRAGMENTS = * JRN = OFF
#Allocate FILTER SET to Network INTERFACE
FILTER_INTERFACE   LINE = TCPLIN2   SET = Inbound_AS400
FILTER_INTERFACE   LINE = TCPLIN2   SET = Outbound_AS400
FILTER_INTERFACE   LINE = TCPLIN2   SET = ALLOWALL

Answer 1

Sorry, I don't do this type of stuff. But wouldn't you want a hardware firewall in front of the physical server? That way you have an extra layer of protection between the internet and the server.

Answer 2

I think its getting confused because you are setting all the rules to the same line description LINE = TCPLIN2.

Do you know how many network adapters you have on this system?. WRKHDWRSC TYPE(*CMN) and check for adapters of type 5767 and with a status of operational. Most iSeries will have at least 2. If you have a couple of adapters you could assign one for internal traffic and one for external.

You can also create virtual Ethernet adapters using the hardware management console, again have one for external / internal traffic. You could probably achieve what you need to easier with 2 adapters.