Sample firewall in AIX

To build firewall under AIX is sample, but as each host based firewall should be done careful
1. Prerequisites
To start firewall in AIX you need few packages to be installed:
- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext  
- clic.rte.lib     
    
2. Start/Stop
to start the firewall its need to execute (as root) the follow command

/usr/sbin/mkdev -c ipsec -t 4
/usr/sbin/mkfilt -v 4 -u -z P


to stop it exec this command

/usr/sbin/rmdev -l ipsec_v4

The above commands are for IPv4. For IPv6 read the manual pages from IBM
3. Write first rule
Let permit ssh access to this machine from everywhere and log entire activity

genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d my_local_IP -M 255.255.255.255   -g Y -c tcp -o any -p 0 -O eq -P 22 -r B -w I -l Y -f Y -i all
But we want to stop all the rest communications

genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d my_local_IP -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O any -P 0 -r B -w I -l N -f Y -i all

and activate the rules

mkfilt -v4 –u
4. Check the activated rule

lsfilt -v 4 -O
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all packets 0 all
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 0.0.0.0 0.0.0.0 my_local_IP 255.255.255.255 yes tcp any 0 eq 22 both both yes all packets 0 all
4 deny 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all </p>

5. Final conclusion
This article is just a sample example how to build the firewall. For more detailed information please consult AIX documentation

No comments:

Post a Comment

Should I trust AI

 Should I trust AI? So far no, sorry.  I tested for the moment (May, 2025) most advanced model for programming and ask very simple question:...