To build firewall under AIX is sample, but as each host based firewall should be done careful
1. Prerequisites
To start firewall in AIX you need few packages to be installed:
- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib
2. Start/Stop
to start the firewall its need to execute (as root) the follow command
/usr/sbin/mkdev -c ipsec -t 4
/usr/sbin/mkfilt -v 4 -u -z P
to stop it exec this command
/usr/sbin/rmdev -l ipsec_v4
The above commands are for IPv4. For IPv6 read the manual pages from IBM
3. Write first rule
Let permit ssh access to this machine from everywhere and log entire activity
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d my_local_IP -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O eq -P 22 -r B -w I -l Y -f Y -i all
But we want to stop all the rest communications
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d my_local_IP -M 255.255.255.255 -g Y -c tcp -o any -p 0 -O any -P 0 -r B -w I -l N -f Y -i all
and activate the rules
mkfilt -v4 –u
4. Check the activated rule
lsfilt -v 4 -O
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all packets 0 all
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 0.0.0.0 0.0.0.0 my_local_IP 255.255.255.255 yes tcp any 0 eq 22 both both yes all packets 0 all
4 deny 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all </p>
5. Final conclusion
This article is just a sample example how to build the firewall. For more detailed information please consult AIX documentation
Showing posts with label IP. Show all posts
Showing posts with label IP. Show all posts
Setting IP on Solaris - canonical way
To set IP address in Solaris you should first check if there is such network adapter. This can be done on many ways:
dmesg or from /var/adm/messages:
Sep 18 11:50:10 sun3 mac: [ID 469746 kern.info] NOTICE: e1000g3 registered
dladm:
e1000g3 link: up speed: 1000 Mbps duplex: full
prtconf:
dev_path=/pci@0,0/pci15ad,750@14:e1000g3 dev_link=/dev/e1000g3
Set in /etc/hosts record for this IP/hostname
10.0.1.32 yourhostname
Set netmask for this IP in /etc/netmasks
10.0.1.0 255.255.255.0
Next step is to set in /etc the file hostname.e1000g3 with content:
yourhostname netmask + broadcast + up
The previous three steps are done to have interface up on boot of the system
Plumb the interface
ifconfig e1000g3 plumb
And get it up and running
ifconfig e1000g3 `cat /etc/hostname.e1000g3`
To set your default gateway create file /etc/defaultrouter and put inside the IP address of your gateway
dmesg or from /var/adm/messages:
Sep 18 11:50:10 sun3 mac: [ID 469746 kern.info] NOTICE: e1000g3 registered
dladm:
e1000g3 link: up speed: 1000 Mbps duplex: full
prtconf:
dev_path=/pci@0,0/pci15ad,750@14:e1000g3 dev_link=/dev/e1000g3
Set in /etc/hosts record for this IP/hostname
10.0.1.32 yourhostname
Set netmask for this IP in /etc/netmasks
10.0.1.0 255.255.255.0
Next step is to set in /etc the file hostname.e1000g3 with content:
yourhostname netmask + broadcast + up
The previous three steps are done to have interface up on boot of the system
Plumb the interface
ifconfig e1000g3 plumb
And get it up and running
ifconfig e1000g3 `cat /etc/hostname.e1000g3`
To set your default gateway create file /etc/defaultrouter and put inside the IP address of your gateway
Subscribe to:
Posts (Atom)