By Rich Loeber
Anything that you can do to discourage unwanted access to your IBM i system is a good idea. So, when I heard about Port Restrictions, I immediately thought that it would be a great idea to just shut down all the unused ports on our test box.
Unfortunately, the term "Port Restrictions" is a little misleading in this case. The IBM i OS port restrictions provide a method to reserve a specific port or range of ports to be used by a specific user or group of users. Some may initially think that this is a way to define ports that specific users are NOT allowed to use, but the exact opposite is what happens. When a port restriction is in place, the named users are granted access to the port.
According to IBM documentation, port restrictions are specifically designed for use with end-user custom applications and are NOT intended for use with IBM i OS network functions. For that level of control, you will need to implement an exit point solution such as SafeNet/i from my company, Kisco Information Systems.
If you want to explore using port restrictions, you would do well to review which ports are used by the IBM i OS and carefully avoid implementing any restrictions for those ports. While doing research for this article, we played around with putting in a restriction for FTP on our test box. We restricted port 21 (FTP) to a specific user on our system and then ended and tried to restart FTP on the system. It shut down OK but would not start back up with the new port restriction in place. As soon as we removed the port restriction, FTP started right back up again. We run IBM's security audit journal on this system and the attempt to start FTP with the port restriction in place also generated an Authority Failure entry (AF).
To avoid this kind of problem with normal TCP/IP functions in the IBM i OS, you should review the list of ports used by the OS. Here is a link to a good list of those ports at the IBM i support website:
If you think other port numbers are being used on your system, you can use the NETSTAT command with the *CNN (Connection Status) option to see which port numbers are in use. The display will default to standard port descriptions, but you can use the F14 function key to change the display to show actual port numbers. Look through the list to see if there are any port numbers not on the IBM i OS list. If you are more comfortable using IBM i Access Client Solutions, you can display this information by clicking on Network -> TCP/IP Configuration -> IPv4 -> IPv4 Connections. This interface will default to showing the port numbers right away and you can export a file of the information in CSV format to help with your analysis of the port numbers in use.
If you do want to create a port restriction assigning a port to a specific user profile, use the Add TCP/IP Port Restriction (ADDTCPPORT) command. IBM i documentation for the use of the command can be found here:
Here at Kisco, we have a test IBM i server sitting out on the internet without a firewall so that we can observe bad behavior. Our system is protected by our SafeNet/i software and we find that it is secure as a result. While reviewing the bad behavior on this test system, we see access attempts using the full range of port numbers on a regular basis. These connection attempts are disallowed since there are no applications active on the system looking for traffic on those ports, but if you have applications using specific ports, then you should take a serious look at implementing port restrictions on those port numbers.
If you have questions about details of this tip, feel free to contact me directly by email: rich at kisco.com.