AIX Simple Firewall
Prerequisities
Packages to be installed
- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib
CLI
lslpp -l bos.msg.en_US.net.ipsec
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.msg.en_US.net.ipsec 7.2.5.0 COMMITTED IP Security Messages - U.S.
EnglishStart/Stop IP Security
CLI
# Start command for ipsec_v4
/usr/sbin/mkdev -c ipsec -t 4
/usr/sbin/mkfilt -v 4 -u -z P
# Stop command
/usr/sbin/rmdev -l ipsec_v4Smitty
smitty ipsec4 > Start/Stop IP Security > Start IP Security
- Start IP Security: [Now and After Reboot]
- Deny All Non_Secure IP Packets: [no]
Verify command
> lsdev -C | grep ipsec
ipsec_v4 Available IP Version 4 Security Extension
ipsec_v6 Available IP Version 6 Security Extension
> lsdev -l ipsec_v4
ipsec_v4 Available IP Version 4 Security Extension
日誌檔設置
cp /etc/syslog.conf /etc/syslog.conf.bak
echo "local4.debug /var/log/ipsec.log" >> /etc/syslog.conf
touch /var/log/ipsec.log
chmod 0644 /var/log/ipsec.log
refresh -s syslogd啟用/停用封包紀錄
- 啟用封包紀錄功能,要注意日誌檔的成長幅度,建議使用獨立的 filesystem,避免影響重要服務。
- 規則(Rule)需要同時啟用 Logging control 參數。
# Start the packet logging
mkfilt -v4 -g start
# Stop the packet logging
mkfilt -v4 -g stopFilter Rules
常用指令
- genfilt : 新增規則
- rmfilt : 刪除規則
rmfilt -v 4 -n 3: 移除規則 3
- chfilt : 變更規則
chfilt -v 4 -n 3 -s xxx.xxx.xxx.xxx: 變更規則3 的來源 IP
- 啟用所有規則 :
mkfilt -v 4 -u - 停用所有規則 :
mkfilt -v 4 -d - 列出所有規則 :
lsfilt -v 4 -O
規則參數
-v 4: IPv4 網路-a: Action,P (Permit), D (Deny)-n: 規則編號-s: 來源 IP 或網段,例如 192.168.99.1 或 192.168.99.0-m: 來源遮罩,個別 IP 填 255.255.255.255;C 網段 IP 填 255.255.255.0-d: 目的 IP 或網段,例如 192.168.99.1 或 192.168.99.0-M: 目的遮罩,個別 IP 填 255.255.255.255;C 網段 IP 填 255.255.255.0-g: source routing, 例如 N, Y(default)-c: Protocol, 例如 tcp, udp, all-O eq -P 21: Port 21 (FTP)-O any -P 0: 任意 Port (所有服務)-O neq -P 22: 除 SSH 服務以外-w: Direction, 例如 I (inbound), O (outbound) 或 B (both)-l: 是否開啟稽核日誌,例如 Y, N(default) (須配合封包紀錄啟動)-i: 網卡介面,例如 all, en0-D: Description, 其他補充說明
白名單模式 by ip/port
Inbound Rule : 針對 FTP (port 21) 限制指定來源 IP (my-linux-ip) 或網段。
genfilt -v 4 -a P -s <my-linux-ip> -m 255.255.255.255 -d <aix-server-IP> -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l Y -f Y -i all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d <aix-server-IP> -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l N -f Y -i all- Rule 0,1,2 是內建預設規則
- TIPs
- 規則異動後,必須重啟規則才能生效。
- 白名單模式:先 Permit 特定來源,再 Deny 所有來源
root@aixvm:> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.1|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
root@aixvm:> lsfilt -v4
Beginning of IPv4 filter rules.
Rule 1:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : no
Protocol : udp
Source Port : eq 4001
Destination Port : eq 4001
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : yes
Expiration Time : 0
Description : Default Rule
Rule 2:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control : no
Rule 3:
Rule action : permit
Source Address : 192.168.99.1
Source Mask : 255.255.255.255
Destination Address : 192.168.99.100
Destination Mask : 255.255.255.255
Source Routing : yes
Protocol : tcp
Source Port : any 0
Destination Port : eq 21
Scope : both
Direction : inbound
Logging control : yes
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
Rule 4:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 192.168.99.100
Destination Mask : 255.255.255.255
Source Routing : yes
Protocol : tcp
Source Port : any 0
Destination Port : eq 21
Scope : both
Direction : inbound
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
Rule 0:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description : Default Rule
End of IPv4 filter rules.白名單模式 by ip
Inbound Rule : 限制指定來源 IP (my-linux-ip) 或網段存取所有服務。
# Allow from 192.168.99.1
genfilt -v 4 -a P -s 192.168.99.1 -m 255.255.255.255 -d 192.168.99.100 -M 255.255.255.255 -g N -c tcp -o any -p 0 -O any -P 0 -r B -w I -l Y -f Y -i all
# Deny from all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 192.168.99.100 -M 255.255.255.255 -g N -c tcp -o any -p 0 -O any -P 0 -r B -w I -l N -f Y -i all -D "Deny from All"Optional: 排除 SSH 以外的所有服務,第二行指令改成
# Deny non-SSH services from All
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 192.168.99.100 -M 255.255.255.255 -g N -c tcp -o any -p 0 -O neq -P 22 -r B -w I -l N -f Y -i all -D "Deny non-SSH Services from All"調整順序
編號 3 與 4 順序互換
...
3|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
4|permit|192.168.99.1|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
...步驟:
- 刪除第 4 條:
rmfilt -v4 -n 3 - 重建一樣的規則,並指定編號為 3:
genfilt -v 4 -n 3 -a P -s 192.168.99.1 -m 255.255.255.255 -d 192.168.99.100 -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l Y -f Y -i all
清除規則
清除所有自定義的規則,除了預設的以外
rmfilt -v4 -n all匯入/匯出規則
匯出
- 指令:
expfilt -r -f . -f .: 輸出至目前目錄,檔名固定為 ipsec_fltr_rule.exp-r: 一定要加這參數,否則規則的 Direction 會被變更
root@aixvm:ipsec_filters> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.8|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
root@aixvm:ipsec_filters> expfilt -r -f .
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule(s) have been exported to ipsec_fltr_rule.exp successfully.
root@aixvm:ipsec_filters> ls -l
total 16
-rw-r--r-- 1 root system 417 Jun 03 15:37 ipsec_fltr_rule.exp匯入
- 指令:
impfilt -f .從目前目錄匯入
root@aixvm:ipsec_filters> ls -l
total 16
-rw-r--r-- 1 root system 417 Jun 03 15:37 ipsec_fltr_rule.exp
root@aixvm:ipsec_filters> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.8|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
root@aixvm:ipsec_filters> rmfilt -v4 -n all
Filter rule 3 for IPv4 has been removed successfully.
Filter rule 4 for IPv4 has been removed successfully.
root@aixvm:ipsec_filters> impfilt -f .
Filter rule 3 for IPv4 imported as rule 3.
Filter rule 4 for IPv4 imported as rule 4.
Filter rule(s) have been imported successfully.
root@aixvm:ipsec_filters> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.8|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
黑名單模式
Rule:
- action: deny
- source: 192.168.99.1
- destination: any
- protocol: all
- direction: inbound
genfilt -v 4 -a D -s 192.168.99.1 -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -g Y -c all -r B -w I -l Y -f Y -i allScripts
Usage: Add new IP of whitelist
- Edit file: aixfw-config.sh
- Clean out all rules:
./aixfw-cmd.sh cleanall - Config new rules:
./aixfw-config.sh - Preview the list of rules:
./aixfw-cmd.sh show - Restart the firewall:
./aixfw-cmd.sh restart
aixfw-cmd.sh
#!/usr/bin/env bash
# AIX built-in firewall commands
# Author: A-Lang
# Created: 2025/7/11
Usage() {
echo
echo "Usage: `basename $0` [start|stop|restart|show|cleanall]"
echo "e.g : `basename $0` show"
echo "Options:"
echo " [start] - Start Firewall"
echo " [stop] - Stop Firewall"
echo " [restart] - Restart/Reload Firewall"
echo " [show] - List All Rules of Firewall"
echo " [cleanall] - Clean out All custom rules of Firewall"
}
ToUpper() {
echo $1 | tr "[:lower:]" "[:upper:]"
}
fw_start() {
mkfilt -v4 -u
}
fw_stop() {
mkfilt -v4 -d
}
fw_cleanall() {
rmfilt -v4 -n all
}
fw_show() {
lsfilt -v4 -O
}
################ Main Codes ################
if [ $# -ne 1 ];
then
Usage
exit 1
fi
cmd="$(ToUpper $1)"
case $cmd in
"START") fw_start;;
"STOP") fw_stop;;
"RESTART") fw_stop; fw_start;;
"SHOW") fw_show;;
"CLEANALL") fw_cleanall;;
*) Usage; exit;;
esac
#echo "Done!"aixfw-config.sh
#!/usr/bin/env bash
# Purpose: Setting up AIX built-in firewall as Whitelist mode
# Author: A-Lang
# Created: 2025/7/14
serverip="10.22.210.99"
while true; do
echo "The Server IP is $serverip"
read -p "Are you sure that you want to continue? (y/N): " input
input=${input:-n}
case "$input" in
y|Y)
echo
break
;;
n|N)
echo "Exit"
exit 1
;;
*) echo "Please answer Y or N.";;
esac
done
## Add the allowed IPs below
# For AIX VM only
#genfilt -v 4 -a P -s 192.168.99.1 -m 255.255.255.255 -d $serverip -M 255.255.255.255 -g N -c tcp -o any -p 0 -O any -P 0 -r B -w I -l Y -f Y -i all -D "For AIX VM only"
# Servers-B
# NOTE: Please replace xxx.xxx.xxx.xxx with the source IP that is allowed to access the server.
#genfilt -v 4 -a P -s xxx.xxx.xxx.xxx -m 255.255.255.255 -d $serverip -M 255.255.255.255 -g N -c tcp -o any -p 0 -O any -P 0 -r B -w I -l Y -f Y -i all -D "Additional Information"
genfilt -v 4 -a P -s 10.14.225.48 -m 255.255.255.255 -d $serverip -M 255.255.255.255 -g N -c tcp -o any -p 0 -O any -P 0 -r B -w I -l Y -f Y -i all -D "DEV01"
genfilt -v 4 -a P -s 10.14.226.31 -m 255.255.255.255 -d $serverip -M 255.255.255.255 -g N -c tcp -o any -p 0 -O any -P 0 -r B -w I -l Y -f Y -i all -D "DEV02"
## Add the allowed IP above
# Deny from all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d $serverip -M 255.255.255.255 -g N -c tcp -o any -p 0 -O any -P 0 -r B -w I -l N -f Y -i all -D "Deny from All"