Dynamic port filtering (DPF) enables you to configure MCP networking to prevent unwanted TCP and UDP traffic from reaching the MCP host. This can help prevent a Denial of Service attack on the MCP host by ensuring that port scans do not cause excess overhead.
To discard (filter) unwanted traffic, the MCP tells the networking devices which ports are accepting connections and data. The list of port numbers includes those associated with registered DSSs. The data on these ports is the only data forwarded to the MCP host. All other data is filtered and logged.
To use dynamic port filtering, enter the NW TCPIP OPTION command with the DYNAMICPORTFILTER (DPF) option enabled as follows:
NW TCPIP OPT + DPF
DPF is enabled by default.
To disable DPF, enter the following:
NW TCPIP OPT - DPF
When you enable DPF, a one line ODT display and log report is generated advising the operator of the total number of frames filtered on a particular interface. In addition, a log-only port filtering report is created that indicates when TCP and UDP messages have been filtered and provides statistics for traffic that has been filtered. These statistics provide information including the source address, destination address, protocol number, and TCP control flags. If the frame is not a TCP frame (UDP), the status of the TCP control flags is set to false.
These reports are generated every 3 minutes or whenever the report buffer fills, whichever occurs first. A report is generated only when packets are filtered.
| Note: | If IPSec is enabled on a system that does not support IPsec over IPv4, DPF is unable to filter frames. |
You can use the NW TCPIP FILTERFRAMES command to interrogate the current status of all port numbers associated with port filtering by entering the following:
NW TCPIP FILTERFRAMES
The following response is displayed:
STATIC PORT FILTERING STATUS: THE FILTERING OF FRAMES WITH THE FOLLOWING <protocol> PORT NUMBERS HAS BEEN <status>: [,...<list of port numbers>]. THE FILTERING OF FRAMES WITH THE FOLLOWING <protocol> PORT NUMBERS HAS BEEN <status>: [,...<list of port numbers>].
The variables are described as follows.
|
Variable |
Description |
|---|---|
|
<status> |
Can be either enabled or disabled. |
|
<list of port numbers> |
Specifies a port number or range of port numbers. |
|
<protocol> |
Can be either TCP or UDP. |
The following is a sample response:
STATIC PORT FILTERING STATUS: THE FILTERING OF FRAMES WITH THE FOLLOWING TCP PORT NUMBERS HAS BEEN ENABLED: NONE. THE FILTERING OF FRAMES WITH THE FOLLOWING UDP PORT NUMBERS HAS BEEN ENABLED: NONE.
Refer to the Networking Commands and Inquiries Help for additional details on the syntax and usage of this command. Check the Errata for any restrictions or guidelines concerning dynamic port filtering.
