Configuring Incoming IP Address Validation
Syntax of IP Addresses List Syntax
The list of IP addresses is a source table that contains IP addresses of work stations allowed to communicate with CTSGATE that owns this list. An IP address is specified in the standard dotted-decimal notation. From 1 through 4 contiguous from right-to-left sections of an IP address can be specified with an asterisk. Such asterisk in a section of IP address which, actually defines a range of IP address. For example: 80.56.241.* means in fact, a range of IP addresses from 80.56.241.0 through 80.56.241.255.
If the above described simplified method of specifying an addresses range turns out too rough to determine a necessary range, then a standard subnet mask can be also used.
Any separate IP address or a range of addresses that should be allowed for communication, must be preceded with the keyword ALLOW *. IP address or a range of addresses that should be prevented from communication, must be preceded with the keyword FORBID *.
Note
The first statement of the list must be always [ALLOW *] or [FORBID *].
An incoming address will be checked against the table of IP addresses (in the internal format) to determine if it is to be confirmed or rejected. A given address may in principle match multiple (and even conflicting) entries in the table.
Only one entry will be used to determine whether the IP address is to be allowed or be forbidden. The entry with the most specific address is the effective entry.
The examples provided below demonstrate how a list of IP addresses can be coded:
-
The following example allows any IP address, but excluding (forbidding) one specific address (
81.50.1.241) and a range of addresses (80.56.241.0–80.56.241.255):CopyALLOW * First statement allows any IP
Forbid 81.50.1.241
Forbid 80.56.241.* -
The same example may be specified with a subnet mask. For example:
CopyALLOW * First statement allows any IP
Forbid 81.50.1.241
Forbid 80.56.241.0, MASK=255.255.255.0 -
The following example forbids all IP addresses, allowing only two specific addresses (
172.16.241.128and81.50.1.241) and a range of addresses (80.56.241.0–80.56.241.255):CopyFORBID * First statement forbids any IP
ALLOW 172.16.241.128
ALLOW 81.50.1.241
ALLOW 80.56.241.* -
The following example defines 2 short ranges (
172.16.241.0–172.16.241.127) and (172.16.241.129–172.16.241.255) of addresses that are allowed:CopyFORBID *
ALLOW 172.16.241.*
FORBID 172.16.241.128 -
The following example shows usage of a subnet mask to allow a range of addresses (
172.16.240.0–172.16.255.255):CopyFORBID *
ALLOW 172.16.240.0, MASK=255.255.240.000 -
The following is an example of an ALLOW type IP list:
CopyFORBID *
ALLOW 172.16.130.151
ALLOW 172.16.110.*
ALLOW 172.16.241.*
ALLOW 80.56.1.*
There is no limit on the number of entries in a list of IP addresses. The order of ALLOW and FORBID statements is not important.
Source format of an IP List is processed at the initialization of CTSGATE (or when the REFRESH modify command is issued as shown below) to detect syntax errors.
Both [ALLOW *] and [FORBID *] statements create the following mask: 0.0.0.0. The absolute value of a mask as a hexadecimal number defines the degree of specificity.
Location of IP Addresses List
The list of IP addresses must reside in a library allocated by a DAPARM DD statement under ECAIPLS fixed name. A one-character suffix is supported in a member name; for example: ECAIPLSx
List name of IP Addresses List
The name of the required IP list should be specified by the new Channel parameter of CTSGATE as follows:
IPLIST=ECAIPLSx
The presence of ECAIPLS source member in a library allocated by a DAPARM DD statement is required as soon as the IPLIST channel parameter is specified in ECAPARM.
Modifying the IP Addresses List
ECAIPLS source member is available to a user for changes. ECAIPLSx source member can be refreshed dynamically by means of the modify command, REFRESH=ECAIPLSx, without need to restart CTSGATE.
Administration of IP Addresses Validation
-
Operations – To refresh ECAIPLSx source member dynamically, the following modify command should be issued:
F <CTSGATE>, REFRESH=ECAIPLSx
Note
The IPLIST only blocks establishing connections. Refreshing the IPLIST does not affect existing connections. -
Administrative features – IP address validation becomes available as soon as:
-
Proper PTF has been applied.
-
A list of IP addresses resides in the library allocated by a DAPARM statement
-
The PLIST channel parameter is specified in ECAPARM.
TRACE=199 should be set on in order to track processing of the IP list.
-
-
Security requirements – The feature is not mandatory. To enable the feature, the IPLIST=ECAIPLSx channel parameter should be specified in the ECAPARM parameters member. When the feature is enabled, a list of IP addresses must exist in a library allocated by a DAPARM statement.
-
Internal diagnostics – TRACE=199 should be set to ON in order to track processing of the IP list. The ECAIPLSx member will be printed in DAPRENV.
If the feature is enabled, information about specific IP list will be printed in DAIGLOG output.
If the CTSGATE channel is disabled due to invalid ECAIPLSx, the detected invalid lines in ECAIPLS will be displayed.
BIND
IP address that IOAGATE must use to listen for incoming connections. If you want IOAGATE to listen on a specific IP address, such as a DVIPA assigned for IOAGATE, use this parameter to identify that IP address.
Use the following syntax:
BIND=INADDR_ANY | IP_address | hostname
where:
-
INADDR_ANYinstructs IOAGATE to listen for incoming connections from any IP address (adapter) on the system. -
IP_addressorhostnameindicates that IOAGATE BINDs to either the given IP_address or the IP_address after hostname resolution. -
Default:
INADDR_ANY