To build firewall under AIX is sample, but as each host based firewall should be done careful
1. Prerequisites
To start firewall in AIX you need few packages to be installed:
- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib
2. Start/Stop
to start the firewall its need to execute (as root) the follow command
/usr/sbin/mkdev -c ipsec -t 4
/usr/sbin/mkfilt -v 4 -u -z P
to stop it exec this command
/usr/sbin/rmdev -l ipsec_v4
The above commands are for IPv4. For IPv6 read the manual pages from IBM
3. Write first rule
Let permit ssh access to this machine from everywhere and log entire activity
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d my_local_IP -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 22 -r B -w I -l Y -f Y -i all
But we want to stop all the rest communications
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d my_local_IP -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O any -P 0 -r B -w I -l N -f Y -i all
and activate the rules
mkfilt -v4 –u
4. Check the activated rule
lsfilt -v 4 -O
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all packets 0 all
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 0.0.0.0 0.0.0.0 my_local_IP 255.255.255.255 yes tcp any 0 eq 22 both both yes all packets 0 all
4 deny 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all </p>
5. Final conclusion
This article is just a sample example how to build the firewall. For more detailed information please consult AIX documentation
No comments:
Post a Comment