标签：10.0 filtering AIX Simple 0.0 server en0 client ipsec

In this example :
- One server with IP address (10.0.0.1) configured on en0 logical interface
IPSEC Rules :
- PERMIT SSH request to server (10.0.0.1) from only one client (10.0.0.2)
- DENY and "LOG" all other SSH connections
- DENY ALL packets

Prerequisites

To start firewall in AIX you need few packages to be installed:

- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib

Recommandations
- Use TTY or VTY connections for the first AIX filtering configuration.
- add client hostname in /etc/hosts server
- Use hostname in genfilt rules for this example.

- check IP host resolution

# host server
server is 10.0.0.1

# host client
client is 10.0.0.2

Prepared syslog to record logs of rejected packets

# echo "local4.debug /var/adm/ipsec.log rotate size 100k files 4" >> /etc/syslog.conf
# touch /var/adm/ipsec.log
# refresh -s syslogd

Backup old rules

# lsfilt -v4 >> /tmp/lsfilt.bkp

Example of IPSec rules script

#!/usr/bin/ksh

# Remove all user rules
rmfilt -v 4 -n all

# Activate rules
mkfilt -v 4 -u

# Stop ipv4 LOG
mkfilt -v 4 -g stop

# DENY ALL
mkfilt -v 4 -u -z D

# PERMIT SSH request from client to server on en0 interface
genfilt -v 4 -a P -s client -d server -g N -c tcp -o gt -p 1023 -O eq -P 22 -r L -w I -l N -f Y -i en0

# PERMIT SSH  answer from server to client on en0 interface
genfilt -v 4 -a P -s server -d client -g N -c tcp/ack -o eq -p 22 -O gt -P 1023 -r L -w O -l N -f Y -i en0

# DENY and LOG all other SSH request on en0 interface
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g N -c tcp -O eq -P 22 -r L -w I -l Y -f Y -i en0

# Activate rules
mkfilt -v 4 -u

# start ipv4 LOG to /var/adm/ipsec.log
mkfilt -v4 -g start

# Display Rules list
lsfilt -v4 -O

In ipsec.log trace below you can see that 10.0.0.5 is not authorised to request SSH server.

#tail -f /var/adm/ipsec.log

Feb 15 16:16:57 server local4:notice ipsec_logd: Filter logging daemon ipsec_logd (level 2.20) initialized at 16:16:57 on 02/15/13
Feb 15 16:17:10 server local4:info ipsec_logd: #:4 R:d  I:10.0.0.1 S:10.0.0.5 D:10.0.0.1 P:tcp/ack SP:34804 DP:22 R:l I:en0 F:n T:0 L:44

Source:

http://www.ibm.com/developerworks/aix/library/au-aixfiltering/index.html

http://it.toolbox.com/blogs/unix-swing/sample-firewall-in-aix-48146

标签：10.0,filtering,AIX,Simple,0.0,server,en0,client,ipsec
来源： https://blog.csdn.net/allway2/article/details/100594046

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。