Setting Firewall Rules for TCP/IP Port Restriction

You can set restrictions on TCP/IP ports so that only specified users or groups can access them for either TCP or UDO traffic or both.

NOTE: While you can set restrictions for any ports, restricting ports 1-1024 may clash with other TCP/IP activity on your system, so you should avoid restricting them.

Firewall's port restriction interface is a graphical representation of the OS/400 CFGTCP command, which is described further in IBM documentation.

Port restrictions are enforced at all times, even if Firewall is working in FYI mode (as shown in Running Firewall in FYI Simulation mode).

To view and set rules for TCP/IP port restrictions, select 21. Work with TCP/IP Port Restrictions from the Work with Advanced Security screen (STRFW > 14), as shown in Setting Additional Firewall Rules and Displaying Logs for DDM, DRDA, DHCP, and Other Servers.

The Work with TCP/IP Port Restrictions screen appears:

                      ​ Work with TCP/IP Port Restrictions​                       
                                                            ​ System:​  ​ S520    ​ 
 Type options, press Enter.                                                    ​ 
  ​ 4=Delete​                                                                     
                                                                                
                        ​ Allowed   ​                                             
 Opt​  ​ Port-Range​  Type​  For User  ​  Port description       ​                    
     ​  5000​  5500​  TCP ​  EVGTST    ​                                          ​   
 ​    ​ 22222​ 33333​  TCP ​  EVGTST    ​                                          ​   
 ​    ​ 22222​ 33333​  UDP ​  EVGTST    ​                                          ​   
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
                                                                                
                                                                  ​       Bottom​ 
 WARNING:​ o Using port numbers in range 1-1024 may affect TCP/IP processing.   ​ 
         ​ o Port restrictions are enforced even in *FYI mode.                  ​ 
 F3=Exit​  ​ F6=Add new​  ​ F7=Sort by User​  ​ F8=Print​                  ​ F12=Cancel​ 
                                                                                
                                                                                

The body of the screen contains lines for each port restriction. Each contains several fields. After the initial Opt field, they are:

Port-Range

A pair of fields showing the starting and ending port numbers for the range restricted by this rule. If the range only contains a single port, the second field is set to *ONLY.

Type

The protocols restricted by this rule. This can be set to TCP, UDP, or *BOTH.

For User

The user or group whose access is affected by the rule.

Port description

A free-form text description of the rule.

To add new port restrictions, press the F6 key. The Add TCP/IP Port Restriction screen appears, as shown in Adding Firewall Rules for TCP/IP Port Restriction.

To delete port restrictions, enter 4 in the Opt column for the line showing that restriction. The Delete TCP/IP Port Restrictions screen appears, as shown in Deleting Firewall Rules for TCP/IP Port Restriction.