Recently the network auditor found a security hole at port 50000. The port 50000 is used by db2.
When I enter command "netstat -Aan |grep 50000", it showed some established connections and are all db2 processes.
I have asked the application team and they answered that the port 50000 connection is needed only in local machine. They want the local machine to allow access to this port, while blocking all other connections not from local machine.
I tried to use IP security to block connections to port 50000, below are the filter rules:
1 *** Dynamic filter placement rule for IKE tunnels *** no
2 deny 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 eq 50000 both both no all packets 0 en0 0 none
3 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all 0 none
After activating this IP filter, I tried using another machine to test connection to this port by command : "telnet <IP> 50000". If the IP security is function properly, I should not be able to connect to it, but the result showed that I can connect into it.
I tried to change the port from 50000 to 21 and try telnet test. This time it behaves properly, I cannot telnet from remote machine to port 21, but can telnet to localhost port 21. I expect to have this result with port 50000.
Is there any error in my setting in IP filter? Please help!!