Translate

Sunday 14 June 2015

Maintaining an AIX firewall

IBM quietly added a firewall capability (known as ipfilters) to AIX 6.1, however they did not do a particularly good job of either publicising or documenting it. You can either configure ipfilt from the command-line or via smit. The ipfilt toolset is part of the LPP: bos.net.ipsec.rte.

1. If you already have an .exp file make a copy of your firewall rules file (e.g. ipsec_fltr_rule.exp) and copy to a temporary directory, or export it as follows:

# expfilt -v4 -f /tmp/ipfilt.exp
Directory /tmp/ipfilt.exp created.
Filter rule 2 for IPv4 has been exported successfully.
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule 5 for IPv4 has been exported successfully.
...

..
Filter rule 56 for IPv4 has been exported successfully.
Filter rule(s) have been exported to /tmp/ipfilt.exp/ipsec_fltr_rule.exp successfully.


2. flush all existing filter rules

    /usr/sbin/rmfilt -v4 -n all

3. import filter rule file from directory
   /usr/sbin/impfilt -f /root

4. list imported filter rules
   /usr/sbin/lsfilt -v 4 –O




1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
 packets 0 all 0 none  Default Rule
2 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 69 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10569
3 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 67 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10567
4 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 43 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10543
5 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 25 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10525
6 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 19 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10519
7 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 13 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10513
8 shun_host 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes all any 0 eq 11 bo
th inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunHost192.168.1.10511
9 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 666 b
oth inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.105666

10 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 635
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10563
5
11 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 547
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10554
7
12 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 546
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10554
6
13 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 194
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10519
4
14 shun_port 0.0.0.0 0.0.0.0 192.168.1.105 255.255.255.255 yes udp any 0 eq 162
both inbound no all packets 0 all 300 none  AIXpert:IPv4:ShunPort192.168.1.10516
2

5. Activate the new rules
   /usr/sbin/mkfilt -v4 -u -g start

You can also configure ipfilt from smit as follows:

smitty tcpip

                                     TCP/IP

Move cursor to desired item and press Enter.

  Minimum Configuration & Startup
  Further Configuration
  Use DHCP for TCPIP Configuration & Startup
  IPV6 Configuration
  Quality of Service Configuration & Startup
  Configure IP Security (IPv4)
  Configure IP Security (IPv6)


Configure IP Security (IPv4):




                          Configure IP Security (IPv4)

Move cursor to desired item and press Enter.

  Start/Stop IP Security
  Basic IP Security Configuration
  Advanced IP Security Configuration


Advanced IP Security Configuration:

                       Advanced IP Security Configuration

Move cursor to desired item and press Enter.

  Configure IP Security Filter Rules
  List Active IP Security Filter Rules
  Activate/Update/Deactivate IP Security Filter Rule
  List Encryption Modules
  Start/Stop IP Security Filter Rule Log
  Start/Stop IP Security Tracing
  Backup IKE Database
  Restore IKE Database
  Initialize IKE Database
  View IKE XML DTD

Configure IP Security Filter Rules




                       Configure IP Security Filter Rules

Move cursor to desired item and press Enter.

  List IP Security Filter Rules
  Add an IP Security Filter Rule
  Change IP Security Filter Rules
  Move IP Security Filter Rules
  Export IP Security Filter Rules
  Import IP Security Filter Rules
  Delete IP Security Filter Rules


The import thing to remember is that if you activate the rules and you make a mistake you will be immediately locked-out of your system, so ensure you have a console session open.





No comments:

Post a Comment