Port 443 on iSeries v5r4 is ‘filtered’ to internet clients, even it is allowed in firewall rules. How can I make it ‘open’?
-
10-07-2019 - |
Question
Port was filtered by ISP.
The problem is that HTTPS 443 port isn't accessible from internet, but it is open in our local network. Our iSeries v5r4 is connected to inet via L2TP withot IPSec. If no packet filters are active, nmap shows that ports 25, 80, 110 and even 10322 (WAS admin console) have state 'open' on internet IP address. 443 have state 'filtered'.
If I activate the following packet rules:
# -----------------------------------------------
# Statements to permit inbound HTTP over STATICIP
# -----------------------------------------------
INCLUDE FILE = /QIBM/UserData/OS400/TCPIP/PacketRules/Services.i3p
FILTER SET HTTP_INBOUND ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR = * DSTADDR = * SERVICE = HTTP_80_FS JRN = OFF
FILTER SET HTTP_INBOUND ACTION = PERMIT DIRECTION = INBOUND SRCADDR = * DSTADDR = * SERVICE = HTTP_80_FC JRN = OFF
FILTER SET HTTP_INBOUND ACTION = PERMIT DIRECTION = OUTBOUND SRCADDR = * DSTADDR = * SERVICE = HTTP_443_FS JRN = OFF
FILTER SET HTTP_INBOUND ACTION = PERMIT DIRECTION = INBOUND SRCADDR = * DSTADDR = * SERVICE = HTTP_443_FC JRN = OFF
FILTER_INTERFACE INTERFACE = STATICIP SET = HTTP_INBOUND
# -----------------------------------------------
port 80 is 'open', 443 is 'filtered'.
How can I make it 'open'?
Solution
Some ISPs filter specific ports, like RoadRunner used to filter my webserver. It'd be odd since 80 isn't filtered, but it's a possibility.
OTHER TIPS
IBM's online documentation about IP filtering and NAT which may help solve the problem.
You should configure your firewall to open and close TCP/IP ports.
Each firewall has a list of ports (or port ranges) that are open or closed for trafic. PLease consult you firewall/router documentation or consult your system administrator.
Port 443 is the SSL port so it is quite possible that either your firewall or your iSeries has a further filter that needs to be set to allow ssl traffic to it.
Thanks for your answers! Firewall is cofigured to open ports 80 and 443. But 443 is filtered anyway. Our ISP filters no ports.