In order for your Host On-Demand services to operate correctly through the IBM SecureWay/Ethernet firewall, you must have the following rules in your filters.cfg file:
From The World to The World, set the source port to greater than 1023. Set the destination equal to 8999. Set TCPIP acknowledgement. Restrict the IP addresses to specifics. For example:
# Between The World and The World # Service : HOD3 # Description : HOD3 permit 0 0 0 0 tcp gt 1023 eq 8999 both both both l=n f=y permit 0 0 0 0 tcp/ack eq 8999 gt 1023 both both both l=n f=y
From Secure Client to The World (using direct outs), set the source port to greater than 1023. Set the destination port equal to 8989. Set TCPIP acknowledgement. For example:
# Between Secure Client and The World # Service : hod2 # Description : permit 10.10.10.1 255.255.255.255 0 0 tcp gt 1023 eq 8989 both both both l=n f=y permit 0 0 10.10.10.1 255.255.255.255 tcp/ack eq 8989 gt 1023 both both both l=n f=y
From The World to The World (the direct out for the Telnet sessions), use the following code as an example:
# Between The World and The World # Service : Telnet direct out # Description : Permit Telnet outbound from secure network to non-secure network permit 0 0 0 0 tcp gt 1023 eq 23 secure route inbound l=n f= permit 0 0 0 0 tcp gt 1023 eq 23 non-secure route outbound l=n f=y permit 0 0 0 0 tcp/ack eq 23 gt 1023 non-secure route inbound l=n f=y permit 0 0 0 0 tcp/ack eq 23 gt 1023 secure route outbound l=n f=y
From Secure Client to The World (the HTTP ports for direct out), use the following code as an example:
# Between Secure Client and The World # Service : HTTP direct out # Description : Permit HTTP from secure network directly to non-secure network permit 10.10.10.1 255.255.255.255 0 0 tcp gt 1023 eq 80 secure route inbound l=n f=y permit 10.10.10.1 255.255.255.255 0 0 tcp gt 1023 eq 80 non-secure route outbound l=n f=y permit 0 0 10.10.10.1 255.255.255.255 tcp/ack eq 80 gt 1023 non-secure route inbound l=n f=y permit 0 0 10.10.10.1 255.255.255.255 tcp/ack eq 80 gt 1023 secure route outbound l=n f=y