Socket Rules

A socket represents either system's side of the connection in a TCP session. In Exit Point Manager, Socket rules can be used to control access to the Listen, Accept, and Connect socket exit points, referred to as socket servers (or just "servers") in Exit Point Manager, which correspond to three different points in the lifecycle of a TCP connection:

  • Listen: When the local system starts to listen for incoming connections, this triggers the Listen socket server. This can be used to detect when a job is started that tries to listen for unexpected traffic. For example, for traffic on the HTTP port, port 80, on a system that is not expected to receive HTTP traffic. See Work with Socket Rules - Listen Server.
  • Accept: When a local system that is listening receives an incoming connection request, this triggers the Accept socket server. This can be used to block or allow access to specific ports from specific IP addresses or address ranges. See Work with Socket Rules - Accept Server.
  • Connect: When a job on the local system tries to connect to another system, this triggers the Connect socket server. This can be used to block or allow access to specific ports for specific IP addresses and also to limit outgoing connections to specific user profiles. See Work with Socket Rules - Connect Server.
NOTE: Refer to Socket-Related User Exit Points in the IBM Knowledge Center for additional details.

The Socket servers are invoked at the beginning of new TCP conversations. They are not invoked for each individual TCP packet that is sent within a connection.

WARNING: Misuse of Socket Rules can render your system unreachable via TCP. Exercise extreme caution when using this feature. Consider adding Socket Rules as not active and testing them using the Socket Rule test feature, and setting them to be not used by that feature and testing the rule set before removing them. If you render your system unreachable via TCP, you will need to access the system via the console in order to fix the rules (or to deactivate the Socket Rule servers).

Socket Rules and Activation

Socket rules are only applied for a server if the server has been activated in Work with Exit Point Manager Activation panel. Use the following table to determine which server to activate.

Socket Rule Server to Activate
Accept server QSOACCEPT
Connect server QSOCONNECT
Listen server QSOLISTEN

See Activating Powertech Exit Point Manager for more details.

Limitations

Like other Exit Point Manager servers, socket servers are only invoked by IBM i jobs. However, some connection processing on IBM i is performed by Licensed Internal Code (LIC) tasks, and since that processing is not accessible to socket servers, socket servers cannot be used to log or control it. The most important example is the initiation of a 5250 Telnet session, which is handled by LIC tasks for performance reasons. Other applications that fall into this category are the IBM i NetServer (the classical file server used on IBM i) and the Server Tools Server, both of which perform initial processing in LIC tasks and therefore cannot be controlled with socket servers.

The Work with Socket Rules panel lets you select the servers to which you want to add or maintain user authority rules.

  1. From the Main Menu, select option 20 to display the Work with Socket Rules panel.
  2. Choose 1 (Listen), 2 (Connect), or 3 (Accept), depending on the socket exit point server you want to manage. The Work with Socket Rules panel appears.
  3. Press F6 to create a new Socket Rule. The Create Socket Rule panel appears.
  4. Enter the following details:
    • Sequence: The sequence number of a Socket Rule determines the order in which it will be evaluated by the exit program, with the lowest sequence number being evaluated first. Socket Rules are evaluated until a match is found.
    • Description: Enter a short, textural description of the Socket Rule.
    • Authority: Enter Y to allow requests and N to reject requests.
    • Audit: Enter Y to log all requests, N to only log authority failures, and * to use the value specified in Work with Security by Server.
    • Message: Enter Y to send a message to the Exit Point Manager message queue, or N to not send a message. Enter * to use the value specified in Work with Security by Server.
    • Capture: Enter Y to capture transactions, or N to not capture transactions. Choose * to use the value specified in Work with Security by Server.
    • Active: Enter Y if you want the rule evaluated by the exit point program, or N if you do not want it evaluated. It can be useful to initially set a Socket Rule as not active in order to test it without enforcing it.
    • Test: Enter Y to indicate you want the rule evaluated by the Socket Rule test facility, or N to indicate you do not want it tested.
  5. Press Enter to create the User Rule.