What configuration will allow XCOM traffic to pass through a firewall?
search cancel

What configuration will allow XCOM traffic to pass through a firewall?

book

Article ID: 56317

calendar_today

Updated On:

Products

XCOM Data Transport XCOM Data Transport - Windows XCOM Data Transport - Linux PC XCOM Data Transport - z/OS

Issue/Introduction

Does XCOM require firewalls to be opened?

Environment

  • XCOM™ Data Transport® for z/OS
  • XCOM™ Data Transport® for Windows
  • XCOM™ Data Transport® for UNIX/Linux PC

Resolution

The firewall must allow routing for destination IP-Number=any and IPPort=8044 or whatever ports you are using. The reason you can't filter based on incoming IP number is that it is random. The partner XCOM must request a socket from the local machine's IP-stack when sending a transfer. The IPstack will give the next available socket. XCOM has no way of predicting which IPPORT and which IPADDRESS comprise that socket. This process is similar to the way many other TCP-based applications function.

Looking at an example of how XCOM goes through the process of getting an IP Socket, opening the socket and getting an IP session in starting a transfer, it becomes clear why a firewall filter can be configured in just the one way if XCOM traffic is to flow through.

Example:
When  XCOM processes a locally initiated IP-transfer:

  • It requests the "next available socket" from the IP-stack via an IP-system call - Get Socket. It cannot request a specific socket from TCPIP.
  • Assume that the IP-stack returns successfully with "Socket-Identifier" -- "Port-Number" = 1546.
  • Using that "port/socket" then the next step is to open the socket.
  • If the open is successful XCOM will request a TCP session with the remote partner.

This means that the request always addresses the remote IP-number, Port=8044 based on the local parameter IP-Number, Available-Port.

Additional Information

Looking via a "netstat"-command this will show:

--------------------------------------------------------------
 Active Connections
   Proto  Local Address     Foreign Address         State
   TCP    <local host>:1546 <remote host>:8044      ESTABLISHED
   TCP    <local host>:8044 <remote host>:3062      ESTABLISHED
--------------------------------------------------------------

This netstat output above shows 2 currently active transfers. One transfer is locally initiated on <local host> and it setup a TCP session to <remote host>:8044 while at the same time a totally different transfer also ran from <remote host> against <local host>. You can see that <remote host> provided a different "next available" socket/port value (3062) which was in session with the 8044-served port on <local host>.

Based on the above, you can see that the only way you can filter traffic at a firewall and let all XCOM transfers through, is to allow TCP-session establishment for Destination-Port 8044. Additionally you could add rules permitting certain, valid IP-ranges, but under no circumstance can you specify a rule for the local socket/port. The local socket/port is always requested from the local IP-stack and the value is random.