General Information on Services

Services are a collection of rules or a set of instructions to permit or deny a particular type of traffic through the Firewall, for example, a telnet session. Services figure prominently when defining connections. They specify the type of traffic that can or cannot take place between network objects. The IBM Firewall comes preloaded with a default set of services. You can add to services by using the rule templates to create new rules.

The figure below illustrates how services are composed of rule templates and how they can become part of a connection configuration.

Further Information

Controlling Traffic Through the Firewall
Examples of Services: Proxy Telnet
Examples of Services: Routed Telnet
Examples of Services: Proxy HTTP

Service Name

Enter the service name. The service name should NOT contain a pipe symbol(|), a single quote (or apostrophe) character('), or a double quote(") character as these are used as SMIT/smitty and file delimiters. Use of these characters will result in unreliable data.

Description

This field is optional and is provided in case you want to provide a comment or additional information about this item.

Override Log Control

The Override Log Control field provides a means of overriding the Log Control setting in the rule templates that have been selected for this service. For example, if you include a set of rule templates that ordinarily have Log Control set to "no", you can override this setting to be "yes" for the purposes of this service.

Note that the override setting will act on all of the rules in this service.

In the Override Log Control field, enter one of the following choices: When a log record is written for a filter rule, the values shown in the log record are the actual values from the IP packet. Logging matched filter rules can provide valuable information about the content of IP packets seen by the Firewall, e.g., actual protocol and port numbers.

Override Frag. Control

The Override Fragmentation Control field provides a means of overriding the Fragmentation Control setting in the rule templates that have been selected for this service. For example, if you include a set of rule templates that ordinarily have Fragmentation Control set to "no", you can override this setting to be "yes" for the purposes of this service.

Note that the override setting will act on all of the rules in this service.

In the Override Frag. Control field, enter one of these:

Override Tunnel ID

The Override Tunnel ID field provides a means of overriding the Tunnel ID setting in the rule templates that have been selected for this service. For example, if you include a set of rule templates that ordinarily have no Tunnel Setting, you can override this setting to include a Tunnel ID for all of the rules in this service. If you leave the field blank, override is turned off. The settings in the rules themselves still apply.

In the Tunnel ID field, enter t=number, where number is the assigned tunnel context identifier created using the fwgenctx or fwchgctx commands. The number must be in the range 1 to 999999. The value zero (0) is reserved to mean no tunnel. Or you can select a tunnel by pressing the "Select" button.

Select

Press the "Select..." button to access a list of defined objects that are valid for this function.

Control By Time of Day

Click "Control By Time of Day" if you would like for this service to be activated or deactivated according to begin and end times during the day. Use 24-hour military format. If "Control By Days" is not enabled, the Time of Day fields will be in effect everyday.

Note that whether a service is activated or deactivated depends on the value of the "Time Control Action" field.


Control By Days

Click "Control By Days" if you would like for this service to be activated or deactivated according to a schedule based upon either week days or calendar dates.

Note that whether a service is activated or deactivated depends on the value of the "Time Control Action" field.


Time Control Action

Choose "Activate Service During Specified Times" if you want this service to be activated during the specified times. This service will be deactivated during the times outside of those specified.

Choose "Deactivate Service During Specified Times" if you want this service to be deactivated during the specified times. This service will be activated during the times outside of those specified.


Rule Objects

These are the combination of Rule Templates that are to be associated with this Service. The order of the rules is important. The order of the rules here will be the order of the rules as they are written to the rule base file, and therefore will be the order by which the Firewall will evaluate traffic datagrams. Usually, for example, "Deny" rules are placed above "Permit" rules since you want to filter out non-secure/unauthorized datagrams before evaluating whether a datagram should be permitted.

Click "Select" and choose from the list of rules available. You can select more than one rule.

Note: There can be more than one instance of the same rule added to this list. This is because it is possible that an administrator would want to use the same rule template twice, and assign a different value for the "Flow" field. Use caution when selecting rule templates so that you do not select the same instance of a template more times than what you intended.

Flow Icons

Left to Right indicates that the Source and Destination of the Connection will get written directly to the rule as it is written into the Rule Base File.
Right to Left indicates that the Source and Destination of the Connection will be reversed when it is written to the Rule Base File.

Remove

Press the "Remove" button to eliminate a selected item from this list. This action will only remove the item from this list. This action will have no effect on other places where this item is defined.

Move Up (Service Panel)

Select an item in the list and click "Move Up" to raise the item's relative position in the list. Each click will cause the item to move up one position. Order on this list is important. The order here will be the order of the rules as they are written to the rule base file, and therefore will be the order by which the Firewall will evaluate traffic datagrams. Usually, for example, "Deny" rules are placed above "Permit" rules since you want to filter out non-secure/unauthorized datagrams before evaluating whether a datagram should be permitted.

Move Down (Service Panel)

Select an item in the list and click "Move Down" to lower the item's relative position in the list. Each click will cause the item to move down one position. The order of the rules is important. The order of the rules here will be the order of the rules as they are written to the rule base file, and therefore will be the order that the Firewall will evaluate traffic datagrams. Usually, for example, "Deny" rules are placed above "Permit" rules since you want to filter out non-secure/unauthorized datagrams before evaluating whether a datagram should be permitted.

Flow

This button is a toggle that determines how the Source and Destination values, of the Connection, should be assigned to the filters as they get written to the Rule Base File. To reverse the flow of a rule in this list, select the rule and click on "Flow".

Left to Right indicates that the Source and Destination of the Connection will get written directly to the rule as it is written into the Rule Base File.
Right to Left indicates that the Source and Destination of the Connection will be reversed when it is written to the Rule Base File.


OK

Press the "OK" button to save changes and close the window.

Cancel

Press the "Cancel" button to close the window without saving any changes.