Skip to main content

AIX Simple Firewall

Prerequisities

Packages to be installed

  • bos.msg.en_US.net.ipsec
  • bos.net.ipsec.keymgt
  • bos.net.ipsec.rte
  • clic.rte.kernext
  • clic.rte.lib

CLI

lslpp -l bos.msg.en_US.net.ipsec

  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.msg.en_US.net.ipsec    7.2.5.0  COMMITTED  IP Security Messages - U.S.
                                                 English

Start/Stop IP Security

CLI

# Start command for ipsec_v4
/usr/sbin/mkdev -c ipsec -t 4
/usr/sbin/mkfilt -v 4 -u -z P

# Stop command
/usr/sbin/rmdev -l ipsec_v4

Smitty

smitty ipsec4 > Start/Stop IP Security > Start IP Security 

  • Start IP Security: [Now and After Reboot]
  • Deny All Non_Secure IP Packets: [no]

Verify command

lsdev -C | grep ipsec
lsdev -l ipsec_v4

ipsec_v4 Available  IP Version 4 Security Extension

日誌檔設置

cp /etc/syslog.conf /etc/syslog.conf.bak
echo "local4.debug /var/log/ipsec.log" >> /etc/syslog.conf
touch /var/log/ipsec.log
chmod 0644 /var/log/ipsec.log
refresh -s syslogd
cp /etc/syslog.conf /etc/syslog.conf.bak
echo "local4.debug /var/log/ipsec.log" >> /etc/syslog.conf
touch /var/log/ipsec.log
chmod 0644 /var/log/ipsec.log
refresh -s syslogd

啟用/停用封包紀錄

  • 啟用封包紀錄功能,要注意日誌檔的成長幅度,建議使用獨立的 filesystem,避免影響重要服務。
  • 規則參數需要同時啟用 Logging control。
# Start the packet logging
mkfilt -v4 -g start

# Stop the packet logging
mkfilt -v4 -g stop

Filter Rules

常用指令:

  • genfilt : 新增規則
  • rmfilt : 刪除規則
    • rmfilt -v 4 -n 3 : 移除規則 3
  • chfilt : 變更規則
    • chfilt -v 4 -n 3 -s xxx.xxx.xxx.xxx : 變更規則3 的來源 IP
  • 啟用所有規則 : mkfilt -v 4 -u 
  • 停用所有規則 : mkfilt -v 4 -d 
  • 列出所有規則 : lsfilt -v 4 -O 

指令參數:

  • -v 4 : IPv4 網路
  • -a : Action,P (Permit), D (Deny)
  • -n : 規則編號
  • -s : 來源 IP 或網段,例如 192.168.99.1 或 192.168.99.0
  • -m : 來源遮罩,個別 IP 填 255.255.255.255;C 網段 IP 填 255.255.255.0
  • -d : 目的 IP 或網段,例如 192.168.99.1 或 192.168.99.0
  • -M : 目的遮罩,個別 IP 填 255.255.255.255;C 網段 IP 填 255.255.255.0
  • -g : source routing, 例如 N, Y(default)
  • -c : Protocol, 例如 tcp, udp, all
  • -O eq -P 21 : Port 21 (FTP)
  • -O any -P 0 : 任意 Port (所有服務)
  • -w : Direction, 例如 I (inbound), O (outbound) 或 B (both)
  • -l : 是否開啟稽核日誌,例如 Y, N(default) (須配合封包紀錄啟動)
  • -i : 網卡介面,例如 all, en0
  • -D : Description, 其他補充說明
白名單模式

Inbound Rule : 針對 FTP (port 21) 限制指定來源 IP (my-linux-ip) 或網段。

genfilt -v 4 -a P -s <my-linux-ip> -m 255.255.255.255 -d <aix-server-IP> -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l Y -f Y -i all

genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d <aix-server-IP> -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l N -f Y -i all
  • Rule 0,1,2 是內建預設規則
  • TIPs
    • 規則異動後,必須重啟規則才能生效。
    • 白名單模式:先 Permit 特定來源,再 Deny 所有來源
root@aixvm:> lsfilt -v4 -O

1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.1|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule

root@aixvm:> lsfilt -v4
Beginning of IPv4 filter rules.
Rule 1:
Rule action         : permit
Source Address      : 0.0.0.0
Source Mask         : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask    : 0.0.0.0
Source Routing      : no
Protocol            : udp
Source Port         : eq  4001
Destination Port    : eq  4001
Scope               : both
Direction           : both
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : yes
Expiration Time     : 0
Description         : Default Rule

Rule 2:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control     : no

Rule 3:
Rule action         : permit
Source Address      : 192.168.99.1
Source Mask         : 255.255.255.255
Destination Address : 192.168.99.100
Destination Mask    : 255.255.255.255
Source Routing      : yes
Protocol            : tcp
Source Port         : any 0
Destination Port    : eq  21
Scope               : both
Direction           : inbound
Logging control     : yes
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : no
Expiration Time     : 0
Description         :

Rule 4:
Rule action         : deny
Source Address      : 0.0.0.0
Source Mask         : 0.0.0.0
Destination Address : 192.168.99.100
Destination Mask    : 255.255.255.255
Source Routing      : yes
Protocol            : tcp
Source Port         : any 0
Destination Port    : eq  21
Scope               : both
Direction           : inbound
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : no
Expiration Time     : 0
Description         :

Rule 0:
Rule action         : permit
Source Address      : 0.0.0.0
Source Mask         : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask    : 0.0.0.0
Source Routing      : yes
Protocol            : all
Source Port         : any 0
Destination Port    : any 0
Scope               : both
Direction           : both
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : no
Expiration Time     : 0
Description         : Default Rule

End of IPv4 filter rules.
調整順序

編號 3 與 4 順序互換

...
3|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
4|permit|192.168.99.1|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
...

步驟:

  1. 刪除第 4 條:rmfilt -v4 -n 3 
  2. 重建一樣的規則,並指定編號為 3:genfilt -v 4 -n 3 -a P -s 192.168.99.1 -m 255.255.255.255 -d 192.168.99.100 -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l Y -f Y -i all 
清除規則

清除所有自定義的規則,除了預設的以外

rmfilt -v4 -n all
匯入/匯出規則

匯出

  • 指令:expfilt -r -f . 
  • -f . : 輸出至目前目錄,檔名固定為 ipsec_fltr_rule.exp 
  • -r : 一定要加這參數,否則規則的 Direction 會被變更
root@aixvm:ipsec_filters> lsfilt -v4 -O

1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.8|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule

root@aixvm:ipsec_filters> expfilt -r -f .

Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule(s) have been exported to ipsec_fltr_rule.exp successfully.

root@aixvm:ipsec_filters> ls -l
total 16
-rw-r--r--    1 root     system          417 Jun 03 15:37 ipsec_fltr_rule.exp

匯入

  • 指令:impfilt -f .  從目前目錄匯入
root@aixvm:ipsec_filters> ls -l
total 16
-rw-r--r--    1 root     system          417 Jun 03 15:37 ipsec_fltr_rule.exp

root@aixvm:ipsec_filters> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.8|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule

root@aixvm:ipsec_filters> rmfilt -v4 -n all
Filter rule 3 for IPv4 has been removed successfully.
Filter rule 4 for IPv4 has been removed successfully.

root@aixvm:ipsec_filters> impfilt -f .
Filter rule 3 for IPv4 imported as rule 3.
Filter rule 4 for IPv4 imported as rule 4.
Filter rule(s) have been imported successfully.

root@aixvm:ipsec_filters> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.8|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
黑名單模式

Rule: 

  • action: deny
  • source: 192.168.99.1
  • destination: any
  • protocol: all
  • direction: inbound
genfilt -v 4 -a D -s 192.168.99.1 -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -g Y -c all -r B -w I -l Y -f Y -i all

No Comments
Back to top