AIX Simple Firewall

Prerequisities

Packages to be installed

bos.msg.en_US.net.ipsec
bos.net.ipsec.keymgt
bos.net.ipsec.rte
clic.rte.kernext
clic.rte.lib

CLI

lslpp -l bos.msg.en_US.net.ipsec

  Fileset                      Level  State      Description
  ----------------------------------------------------------------------------
Path: /usr/lib/objrepos
  bos.msg.en_US.net.ipsec    7.2.5.0  COMMITTED  IP Security Messages - U.S.
                                                 English

Start/Stop IP Security

CLI

# Start command
/usr/sbin/mkdev -c ipsec -t 4
/usr/sbin/mkfilt -v 4 -u -z P

# Stop command
/usr/sbin/rmdev -l ipsec_v4

Smitty

smitty ipsec4 > Start/Stop IP Security > Start IP Security

Start IP Security: [Now and After Reboot]
Deny All Non_Secure IP Packets: [no]

Verify command

lsdev -l ipsec_v4

ipsec_v4 Available  IP Version 4 Security Extension

日誌檔設置

cp /etc/syslog.conf /etc/syslog.conf.bak
echo "local4.debug /var/log/ipsec.log" >> /etc/syslog.conf
touch /var/log/ipsec.log
chmod 0644 /var/log/ipsec.log
refresh -s syslogd

cp /etc/syslog.conf /etc/syslog.conf.bak

echo "local4.debug /var/log/ipsec.log" >> /etc/syslog.conf

touch /var/log/ipsec.log

chmod 0644 /var/log/ipsec.log

refresh -s syslogd

啟用/停用封包紀錄

注意：啟用封包紀錄功能，要注意日誌檔的成長幅度，建議使用獨立的 filesystem，避免影響重要服務。

# Start the packet logging
mkfilt -v4 -g start

# Stop the packet logging
mkfilt -v4 -g stop

Filter Rules

常用指令：

genfilt : 新增規則
rmfilt : 刪除規則
- rmfilt -v 4 -n 3 : 移除規則 3
chfilt : 變更規則
- chfilt -v 4 -n 3 -s xxx.xxx.xxx.xxx : 變更規則3 的來源 IP
啟用所有規則 : mkfilt -v 4 -u
停用所有規則 : mkfilt -v 4 -d
列出所有規則 : lsfilt -v 4 -O

~~TIPs~~
- ~~規則異動後，必須重啟規則才能生效。~~
- ~~白名單模式：先 Permit 特定來源，再 Deny 所有來源~~

指令參數：

-v 4 : IPv4 網路
-a : Action，P (Permit), D (Deny)
-n : 規則編號
-s : 來源 IP 或網段，例如 192.168.99.1 或 192.168.99.0
-m : 來源遮罩，個別 IP 填 255.255.255.255；C 網段 IP 填 255.255.255.0
-d : 目的 IP 或網段，例如 192.168.99.1 或 192.168.99.0
-M : 目的遮罩，個別 IP 填 255.255.255.255；C 網段 IP 填 255.255.255.0
-c : Protocol, 例如 tcp, udp, all
-O eq -P 21 : Port 21 (FTP)
-O any -P 0 : 任意 Port (所有服務)
-l : 是否開啟稽核日誌，例如 Y, N
-i : 網卡介面，例如 all, en0

Rule #1: 針對 FTP (port 21) 限制指定來源 IP (my-linux-ip) 或網段。

genfilt -v 4 -a P -s <my-linux-ip> -m 255.255.255.255 -d <aix-server-IP> -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l N -f Y -i all

genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d <aix-server-IP> -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 21 -r B -w I -l N -f Y -i all

日誌檔

Rule 0,1,2 是內建預設置

規則

TIPs

規則異動後，必須重啟規則才能生效。

白名單模式：先 Permit 特定來源，再 Deny 所有來源

cp /etc/syslog.conf /etc/syslog.conf.bak
echo "local4.debug /var/log/ipsec.log" >root@aixvm:> /etc/syslog.conf
touch /var/log/ipsec.log
chmod 0644 /var/log/ipsec.log
refresh -s syslogd

~~啟用/停用封包紀錄~~

~~注意：啟用封包紀錄功能，要注意日誌檔的成長幅度，建議使用獨立的 filesystem，避免影響重要服務。~~

# Start the packet logging
mkfiltlsfilt -v4 -gO

start1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all #packets|0|all|0|||Default StopRule
the2|*** packetDynamic loggingfilter mkfiltplacement rule for IKE tunnels ***|no
3|permit|192.168.99.1|255.255.255.255|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|yes|all packets|0|all|0|||
4|deny|0.0.0.0|0.0.0.0|192.168.99.100|255.255.255.255|yes|tcp|any|0|eq|21|both|inbound|no|all packets|0|all|0|||
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule

root@aixvm:> lsfilt -v4
-gBeginning stopof IPv4 filter rules.
Rule 1:
Rule action         : permit
Source Address      : 0.0.0.0
Source Mask         : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask    : 0.0.0.0
Source Routing      : no
Protocol            : udp
Source Port         : eq  4001
Destination Port    : eq  4001
Scope               : both
Direction           : both
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : yes
Expiration Time     : 0
Description         : Default Rule

Rule 2:
*** Dynamic filter placement rule for IKE tunnels ***
Logging control     : no

Rule 3:
Rule action         : permit
Source Address      : 192.168.99.1
Source Mask         : 255.255.255.255
Destination Address : 192.168.99.100
Destination Mask    : 255.255.255.255
Source Routing      : yes
Protocol            : tcp
Source Port         : any 0
Destination Port    : eq  21
Scope               : both
Direction           : inbound
Logging control     : yes
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : no
Expiration Time     : 0
Description         :

Rule 4:
Rule action         : deny
Source Address      : 0.0.0.0
Source Mask         : 0.0.0.0
Destination Address : 192.168.99.100
Destination Mask    : 255.255.255.255
Source Routing      : yes
Protocol            : tcp
Source Port         : any 0
Destination Port    : eq  21
Scope               : both
Direction           : inbound
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : no
Expiration Time     : 0
Description         :

Rule 0:
Rule action         : permit
Source Address      : 0.0.0.0
Source Mask         : 0.0.0.0
Destination Address : 0.0.0.0
Destination Mask    : 0.0.0.0
Source Routing      : yes
Protocol            : all
Source Port         : any 0
Destination Port    : any 0
Scope               : both
Direction           : both
Logging control     : no
Fragment control    : all packets
Tunnel ID number    : 0
Interface           : all
Auto-Generated      : no
Expiration Time     : 0
Description         : Default Rule

End of IPv4 filter rules.