Socket Rules
A socket represents either system's side of the connection in a TCP session. In Exit Point Manager, Socket rules can be used to control access to the Listen, Accept, and Connect socket exit points, referred to as socket servers (or just "servers") in Exit Point Manager, which correspond to three different points in the lifecycle of a TCP connection:
- Listen: When the local system starts to listen for incoming connections, this triggers the Listen socket server. This can be used to detect when a job is started that tries to listen for unexpected traffic. For example, for traffic on the HTTP port, port 80, on a system that is not expected to receive HTTP traffic. See Work with Socket Rules - Listen Server.
- Accept: When a local system that is listening receives an incoming connection request, this triggers the Accept socket server. This can be used to block or allow access to specific ports from specific IP addresses or address ranges. See Work with Socket Rules - Accept Server.
- Connect: When a job on the local system tries to connect to another system, this triggers the Connect socket server. This can be used to block or allow access to specific ports for specific IP addresses and also to limit outgoing connections to specific user profiles. See Work with Socket Rules - Connect Server.
The Socket servers are invoked at the beginning of new TCP conversations. They are not invoked for each individual TCP packet that is sent within a connection.
Socket Rules and Activation
Socket rules are only applied for a server if the server has been activated in Work with Exit Point Manager Activation panel. Use the following table to determine which server to activate.
Socket Rule | Server to Activate |
---|---|
Accept server | QSOACCEPT |
Connect server | QSOCONNECT |
Listen server | QSOLISTEN |
See Activating Powertech Exit Point Manager for more details.
Limitations
Like other Exit Point Manager servers, socket servers are only invoked by IBM i jobs. However, some connection processing on IBM i is performed by Licensed Internal Code (LIC) tasks, and since that processing is not accessible to socket servers, socket servers cannot be used to log or control it. The most important example is the initiation of a 5250 Telnet session, which is handled by LIC tasks for performance reasons. Other applications that fall into this category are the IBM i NetServer (the classical file server used on IBM i) and the Server Tools Server, both of which perform initial processing in LIC tasks and therefore cannot be controlled with socket servers.
- To add a socket rule, on the Socket Rules screen, choose Add.
- Enter a name for the rule.
- For Server > Function, click Lookup. Choose the exit point you want to secure.
- Configure the following:
- Authority: Choose Yes to allow requests and No to reject requests.
- Audit: Choose Yes to log all requests, No to only log authority failures, and Inherit to use the value specified in Product Configuration.
- Message: Choose Yes to send a message to the Exit Point Manager message queue, or No to not send a message. Choose Inherit to use the value specified in Product Configuration.
- Capture: Choose Yes to capture transactions, or No to not capture transactions. Choose Inherit to use the value specified in Product Configuration.
- Active: Choose Yes if you want the rule evaluated by the exit point program, or No if you do not want it evaluated. It can be useful to initially set a Socket Rule as not active in order to test it without enforcing it.
- Test: Choose Yes to indicate you want the rule evaluated by the Socket Rule test facility, or No to indicate you do not want it tested.
- In the 'Sequence' section, click and drag the rule into the desired order. The list shows the sequence used to determine the order in which the socket rules will be evaluated.
- To define conditions, In the 'Conditions' section, click Add. Define conditions for the socket rule. For details, see Conditions.