How does the RESTRICTLOWPORTS parameter enhance TCP and UDP security?

Question & Answer

Question

How does the RESTRICTLOWPORTS parameter on the UDPCONFIG or TCPCONFIG profile statements work to enhance security?

Answer

Port numbers 1-1024 are generally considered to be 'well-known' ports and are reserved for use by servers (ports 721-731 are an exception for use by LPR clients, see RFC1179). Enabling RESTRICTLOWPORTS forces any attempt to use these to either have an explicit PORT statement for the application, be from an authorized program, or running under the authority of a userid with the SuperUser attribute.

For port numbers above 1024, you should specify a PORT (or PORTRANGE) statement for any servers in use on this system. And there is the RESERVED keyword to explicitly prevent any use of that port.

Starting in z/OS 1.10, there is a new UNRSV keyword on the PORT statement. This applies to all port numbers (above 1024) not otherwise listed, and will prevent any attempt to bind directly to these unless permitted (by jobname or SAF profile). The only valid use of these ports by other applications is when assigned by TCP/IP as an ephemeral port.

[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSSN3L","label":"z\/OS Communications Server"},"Platform":[{"code":"PF035","label":"z\/OS"}],"Component":"","Version":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

Product Synonym

ZOSCS COMMSERVER

Was this topic helpful?

Document Information

Modified date:
20 February 2017

UID

dwa1212303

Tips