Socket Rules

A socket represents either system's side of the connection in a TCP session. In Exit Point Manager, Socket rules can be used to control access to the Listen, Accept, and Connect socket exit points, referred to as socket servers (or just "servers") in Exit Point Manager, which correspond to three different points in the lifecycle of a TCP connection:

  • Listen: When the local system starts to listen for incoming connections, this triggers the Listen socket server. This can be used to detect when a job is started that tries to listen for unexpected traffic. For example, for traffic on the HTTP port, port 80, on a system that is not expected to receive HTTP traffic. See Work with Socket Rules - Listen Server.
  • Accept: When a local system that is listening receives an incoming connection request, this triggers the Accept socket server. This can be used to block or allow access to specific ports from specific IP addresses or address ranges. See Work with Socket Rules - Accept Server.
  • Connect: When a job on the local system tries to connect to another system, this triggers the Connect socket server. This can be used to block or allow access to specific ports for specific IP addresses and also to limit outgoing connections to specific user profiles. See Work with Socket Rules - Connect Server.
NOTE: Refer to Socket-Related User Exit Points in the IBM Knowledge Center for additional details.

The Socket servers are invoked at the beginning of new TCP conversations. They are not invoked for each individual TCP packet that is sent within a connection.

WARNING: Misuse of Socket Rules can render your system unreachable via TCP. Exercise extreme caution when using this feature. Consider adding Socket Rules as not active and testing them using the Socket Rule test feature, and setting them to be not used by that feature and testing the rule set before removing them. If you render your system unreachable via TCP, you will need to access the system via the console in order to fix the rules (or to deactivate the Socket Rule servers).

Socket Rules and Activation

Socket rules are only applied for a server if the server has been activated in Work with Exit Point Manager Activation panel. Use the following table to determine which server to activate.

Socket Rule Server to Activate
Accept server QSOACCEPT
Connect server QSOCONNECT
Listen server QSOLISTEN

See Activating Powertech Exit Point Manager for more details.

Limitations

Like other Exit Point Manager servers, socket servers are only invoked by IBM i jobs. However, some connection processing on IBM i is performed by Licensed Internal Code (LIC) tasks, and since that processing is not accessible to socket servers, socket servers cannot be used to log or control it. The most important example is the initiation of a 5250 Telnet session, which is handled by LIC tasks for performance reasons. Other applications that fall into this category are the IBM i NetServer (the classical file server used on IBM i) and the Server Tools Server, both of which perform initial processing in LIC tasks and therefore cannot be controlled with socket servers.