AIX Simple Firewall
Prerequisities
Packages to be installed
- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib
CLI
lslpp -l bos.msg.en_US.net.ipsec
Fileset Level State Description
----------------------------------------------------------------------------
Path: /usr/lib/objrepos
bos.msg.en_US.net.ipsec 7.2.5.0 COMMITTED IP Security Messages - U.S.
EnglishStart/Stop IP Security
CLI
# Start command for ipsec_v4
/usr/sbin/mkdev -c ipsec -t 4
/usr/sbin/mkfilt -v 4 -u -z P
# Stop command
/usr/sbin/rmdev -l ipsec_v4Smitty
smitty ipsec4 > Start/Stop IP Security > Start IP Security
- Start IP Security: [Now and After Reboot]
- Deny All Non_Secure IP Packets: [no]
Verify command
lsdev -C | grep ipsec
lsdev -l ipsec_v4
ipsec_v4 Available IP Version 4 Security Extension
日誌檔設置
cp /etc/syslog.conf /etc/syslog.conf.bak
echo "local4.debug /var/log/ipsec.log" >> /etc/syslog.conf
touch /var/log/ipsec.log
chmod 0644 /var/log/ipsec.log
refresh -s syslogdcp /etc/syslog.conf /etc/syslog.conf.bak
echo "local4.debug /var/log/ipsec.log" >> /etc/syslog.conf
touch /var/log/ipsec.log
chmod 0644 /var/log/ipsec.log
refresh -s syslogd啟用/停用封包紀錄
- 啟用封包紀錄功能,要注意日誌檔的成長幅度,建議使用獨立的 filesystem,避免影響重要服務。
- 規則參數需要同時啟用 Logging control。
# Start the packet logging
mkfilt -v4 -g start
# Stop the packet logging
mkfilt -v4 -g stopFilter Rules
常用指令:
- genfilt : 新增規則
- rmfilt : 刪除規則
rmfilt -v 4 -n 3: 移除規則 3
- chfilt : 變更規則
chfilt -v 4 -n 3 -s xxx.xxx.xxx.xxx: 變更規則3 的來源 IP
- 啟用所有規則 :
mkfilt -v 4 -u - 停用所有規則 :
mkfilt -v 4 -d - 列出所有規則 :
lsfilt -v 4 -O
指令參數:
-v 4: IPv4 網路-a: Action,P (Permit), D (Deny)-n: 規則編號-s: 來源 IP 或網段,例如 192.168.99.1 或 192.168.99.0-m: 來源遮罩,個別 IP 填 255.255.255.255;C 網段 IP 填 255.255.255.0-d: 目的 IP 或網段,例如 192.168.99.1 或 192.168.99.0-M: 目的遮罩,個別 IP 填 255.255.255.255;C 網段 IP 填 255.255.255.0-g: source routing, 例如 N, Y(default)-c: Protocol, 例如 tcp, udp, all-O eq -P 21: Port 21 (FTP)-O any -P 0: 任意 Port (所有服務)-w: Direction, 例如 I (inbound), O (outbound) 或 B (both)-l: 是否開啟稽核日誌,例如 Y, N(default) (須配合封包紀錄啟動)-i: 網卡介面,例如 all, en0-D: Description, 其他補充說明
白名單模式
Inbound Rule : 針對 FTP (port 21) 限制指定來源 IP (my-linux-ip) 或網段。
genfilt -v 4 -a P -s <my-linux-ip> -m 255.255.255.255 -d <aix-server-IP> -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l Y -f Y -i all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d <aix-server-IP> -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l N -f Y -i all- Rule 0,1,2 是內建預設規則
- TIPs
- 規則異動後,必須重啟規則才能生效。
- 白名單模式:先 Permit 特定來源,再 Deny 所有來源
root@aixvm:> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.1|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
root@aixvm:> lsfilt -v4
Beginning of IPv4 filter rules.
Rule 1:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : no
Protocol : udp
Source Port : eq 4001
Destination Port : eq 4001
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : yes
Expiration Time : 0
Description : Default Rule
Rule 2:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control : no
Rule 3:
Rule action : permit
Source Address : 192.168.99.1
Source Mask : 255.255.255.255
Destination Address : 192.168.99.100
Destination Mask : 255.255.255.255
Source Routing : yes
Protocol : tcp
Source Port : any 0
Destination Port : eq 21
Scope : both
Direction : inbound
Logging control : yes
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
Rule 4:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 192.168.99.100
Destination Mask : 255.255.255.255
Source Routing : yes
Protocol : tcp
Source Port : any 0
Destination Port : eq 21
Scope : both
Direction : inbound
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :
Rule 0:
Rule action : permit
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask : 0.0.0.0
Source Routing : yes
Protocol : all
Source Port : any 0
Destination Port : any 0
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description : Default Rule
End of IPv4 filter rules.調整順序
編號 3 與 4 順序互換
...
3|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
4|permit|192.168.99.1|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
...步驟:
- 刪除第 4 條:
rmfilt -v4 -n 3 - 重建一樣的規則,並指定編號為 3:
genfilt -v 4 -n 3 -a P -s 192.168.99.1 -m 255.255.255.255 -d 192.168.99.100 -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l Y -f Y -i all
清除規則
清除所有自定義的規則,除了預設的以外
rmfilt -v4 -n all匯入/匯出規則
匯出
- 指令:
expfilt -r -f . -f .: 輸出至目前目錄,檔名固定為 ipsec_fltr_rule.exp-r: 一定要加這參數,否則規則的 Direction 會被變更
root@aixvm:ipsec_filters> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.8|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
root@aixvm:ipsec_filters> expfilt -r -f .
Filter rule 3 for IPv4 has been exported successfully.
Filter rule 4 for IPv4 has been exported successfully.
Filter rule(s) have been exported to ipsec_fltr_rule.exp successfully.
root@aixvm:ipsec_filters> ls -l
total 16
-rw-r--r-- 1 root system 417 Jun 03 15:37 ipsec_fltr_rule.exp匯入
- 指令:
impfilt -f .從目前目錄匯入
root@aixvm:ipsec_filters> ls -l
total 16
-rw-r--r-- 1 root system 417 Jun 03 15:37 ipsec_fltr_rule.exp
root@aixvm:ipsec_filters> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.8|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
root@aixvm:ipsec_filters> rmfilt -v4 -n all
Filter rule 3 for IPv4 has been removed successfully.
Filter rule 4 for IPv4 has been removed successfully.
root@aixvm:ipsec_filters> impfilt -f .
Filter rule 3 for IPv4 imported as rule 3.
Filter rule 4 for IPv4 imported as rule 4.
Filter rule(s) have been imported successfully.
root@aixvm:ipsec_filters> lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.99.8|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
黑名單模式
Rule:
- action: deny
- source: 192.168.99.1
- destination: any
- protocol: all
- direction: inbound
genfilt -v 4 -a D -s 192.168.99.1 -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -g Y -c all -r B -w I -l Y -f Y -i all