Kisco Systems

Kisco U

IBM i port restrictions

Home : Kisco U : IBM i port restrictions

IBM i OS port restrictions provide a method to reserve a specific port or range of ports to be used by a specific user or group of users. When a port restriction is in place, ONLY the named users are granted access. According to IBM documentation, port restrictions are specifically designed for use with end-user custom applications and are NOT intended for use with IBM i OS network functions. For that level of control, you need an exit point solution such as SafeNet/i.

WARNING: using port restrictions can disable services! We restricted port 21 (FTP) to a specific user on our system and then ended and tried to restart FTP on the system. It shut down OK but would not restart. As soon as we removed the port restriction, FTP started up again. The security audit journal logged the FTP startup attempt with the port restriction in place and generated an Authority Failure entry (AF). To avoid this kind of problem with normal TCP/IP functions, review the list of ports used by the OS. Here is a list of ports at the IBM i support website:

https://www.ibm.com/support/pages/tcpip-ports-required-ibm-i-access-and-related-functions

Use the NETSTAT command with the *CNN (Connection Status) option to see which port numbers are in use on your system.

The display will default to standard port descriptions, but you can use the F14 function key to change the display to show actual port numbers. Review the list to see if there are any port numbers not on the IBM i OS list.

Use the Add TCP/IP Port Restriction (ADDTCPPORT) command to create a port restriction.

TCP/IP Connections in Nav

View connections: Network > TCP/IP Configuration > Connections

Work with port restrictions: Network > TCP/IP Configuration > TCP/IP Configuration > Port Restrictions

IBM i documentation for the use of the command can be found here:

https://www.ibm.com/docs/kk/i/7.5?topic=ssw_ibm_i_75/cl/addtcpport.html