The purpose of this sample filter statement is to demonstrate the proper syntax for creating filter rules on your system and to show you how the various statements work together in a file.
Use them as examples only.
A common filter statement might look like this:
FILTER SET TestFilter ACTION = PERMIT DIRECTION = INBOUND SRCADDR = 162.56.39.100 DSTADDR = * PROTOCOL = * DSTPORT >= 1024 SRCPORT = 80
This filter will permit all traffic entering the interface (INBOUND) that has a source address of 162.56.39.100, a source port of 80, and destination port greater or equal to 1024.
Because IP traffic typically flows both INBOUND and OUTBOUND over a connection, it is common to have two related statements to permit traffic in both directions. These two statements are called mirrors of each other and can be seen in the example that follows:
FILTER SET TestFilter ACTION = PERMIT DIRECTION = INBOUND SRCADDR = 162.56.39.100 DSTADDR = * PROTOCOL = * DSTPORT >= 1024 SRCPORT = 80 FILTER SET TestFilter ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR = * DSTADDR = 162.56.39.100 PROTOCOL = * DSTPORT = 80 SRCPORT >= 1024
You might notice that both of these filter statements have the same set name, TestFilter. All filters with the same set name are considered to be in the same set. You can have any number of filters in a set. When you activate filters within a given set, they are processed in the order in which they appear in the file.
A filter statement alone do not have any effect when you activate rules. You must apply the filter set to a filter interface. An example of applying the set, TestFilter, to an Ethernet line interface is as follows:
FILTER_INTERFACE LINE = ETH237 SET = TestFilter
After you activate these rules, only IP traffic permitted by the TestFilter set will be permitted over ETH237.
The system adds a default DENY ALL TRAFFIC rule to the end of any activated filters on an interface. When you apply rules to the interface through which you are configuring the System i™ platform, it is very important that you permit your own workstation or that of anyone else who might be configuring the system to be connected to the System i platform. Failure to do so causes a loss of communication with the system. You can also apply multiple sets to a filter interface statement such as in the following example:
FILTER_INTERFACE LINE = ETH237 SET = set1, set2, set3
These sets are processed in the same order as you listed them in the filter interface statement (set1, set2, and set3). The filters within each set are processed in the order in which they appear in the file. This means that the ordering of filters between different sets is irrelevant. Filter order matters only when filters are in the same set.