As rules are loaded from the rules file into the TCPIPSECURITY library, they are placed in one of two lists—a deny list and an allow list—based on their rule disposition (deny or allow). When access requests are evaluated, they are processed in a specific order as noted in the following list.
-
Deny rules in the deny list are checked. If a match is found, the process is terminated and access is denied. If a match is not found, the system continues to step 2.
-
Allow rules in the allow list are checked. If a match is found, the process is terminated and access is granted. If a match is not found, the system continues to step 3.
-
A deny or allow rule did not match. Access is denied by default.
Because deny rules are evaluated first, care must be taken when generating allow rules so that access attributes do not overlap the access attributes specified in any of the deny rules.
Note that rules are not evaluated in the order that they appear in the rules file. Also note that access must be explicitly granted with an allow rule; otherwise, access is denied by default.
During the evaluation process, rules match if each field in the rule exactly matches each corresponding field in the access request. Note that a null (empty) field in a rule indicates a “don't care” condition and matches any value in the corresponding access request. The absence of a rules file denies access for all traffic if the TCPIPSECURITY library has been established with the SL (System Library) system command.
