ipfilter howto
 
Home Help Login Register
*
Welcome, Guest. Please login or register.
Did you miss your activation email? 		August 29, 2008, 04:37:50 AM


Login with username, password and session length


Pages: [1]   Go Down
  Print  
Author Topic: ipfilter howto  (Read 333 times)
0 Members and 2 Guests are viewing this topic.
Toth
Full Member
***
Offline Offline

Posts: 22
« Reply #4 on: August 21, 2008, 06:12:58 AM »
Hi!
I want to filter just some ports, and don't want change any others.
Thanks for your reply!
Toth
Logged
Michael
Administrator
Hero Member
*****
Offline Offline

Posts: 466
« Reply #3 on: August 19, 2008, 01:11:22 PM »
Glad you got it working - especially using SMIT. I have only used SMIT for configuring the bos.net.ipsec filesets. Your command layout looks quite different from what I am used to.

On my server I have a layout looking like this:

lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.129.0|255.255.255.0|192.168.129.0|255.255.255.0|no|all|any|0|any|0|both|both|no|all packets|0|en0
4|permit|192.168.129.0|255.255.255.0|0.0.0.0|0.0.0.0|no|tcp/ack|any|0|any|0|local|outbound|no|all packets|0|en0
5|permit|0.0.0.0|0.0.0.0|192.168.129.0|255.255.255.128|no|tcp/ack|any|0|any|0|local|inbound|no|all packets|0|en0
6|permit|192.168.129.121|255.255.255.0|192.168.129.121|255.255.255.0|no|tcp|eq|22|any|0|both|both|no|all packets|0|en0
7|permit|192.168.129.121|255.255.255.128|192.168.129.121|255.255.255.128|no|tcp|any|0|eq|22|both|both|no|all packets|0|en0
8|permit|192.168.129.121|255.255.255.128|192.168.129.121|255.255.255.128|no|tcp|any|0|any|0|both|both|no|all packets|0|en0
9|permit|AAA.BBB.127.0|255.255.0.0|192.168.129.121|255.255.255.255|yes|tcp|gt|1023|eq|25|local|inbound|no|all packets|0|en0
10|permit|AAA.BBB.24.0|255.255.255.0|192.168.129.121|255.255.255.255|yes|tcp|gt|1023|eq|25|local|inbound|no|all packets|0|en0
11|permit|192.168.129.121|255.255.255.255|0.0.0.0|255.255.255.255|yes|tcp|eq|25|gt|1023|local|outbound|no|all packets|0|en0
12|permit|AAA.BBB.73.0|255.255.255.0|192.168.129.121|255.255.255.255|no|tcp|gt|1023|eq|25|local|inbound|no|all packets|0|en0
13|permit|AAA.BBB.202.28|255.255.255.255|0.0.0.0|0.0.0.0|no|tcp|gt|1023|eq|25|local|inbound|yes|all packets|0|en0
14|permit|AAA.BBB.175.114|255.255.255.255|192.168.129.121|255.255.255.255|no|tcp|gt|1023|eq|25|local|inbound|yes|all packets|0|en0
15|permit|AAA.BBB.29.65|255.255.255.192|192.168.129.121|255.255.255.255|no|tcp|any|0|eq|25|both|both|yes|all packets|0|en0
16|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|tcp|any|0|eq|25|both|inbound|yes|all packets|0|all
17|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|tcp/ack|any|0|any|0|local|outbound|no|all packets|0|en0
18|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|tcp|any|0|any|0|local|inbound|yes|all packets|0|en0
19|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|en0
0|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all


Rules 3-8 are for local traffic, 9-16 are for SMTP traffic I permit, 16 is actually my deny all rule - so I could log attempts, 17-18 were test rules for setting up inbound and outbound traffic, and rule 19 was to log all other traffic - so I could find traffic I wanted to permit, but was not being caught in an earlier rule.
Rule 0 is the 'official' default rule.

Besides ipfiltering (based on AIX bos.net.ipsec, not a package named ipfilter), I also use a tool of John's that monitors failed logins, etc. to dynamically add rules for improper activity, and optionally delete the rules after a certain delay.
Logged
Toth
Full Member
***
Offline Offline

Posts: 22
« Reply #2 on: August 18, 2008, 06:15:32 AM »
Hi!
I solved my problem. The working rules are in this rows below:
4   165    permit    remoteip   255.255.255.255   localip   255.255.255.255 y all any 0 eq    1414   all local both yes yes 0 no 0 patt_none
4   166    permit    remoteip   255.255.255.255   localip   255.255.255.255 y all any 0 eq    1415   all local both yes yes 0 no 0 patt_none
4   167   deny    0.0.0.0    0.0.0.0    localip   0.0.0.0 y all any 0 eq     1414   all both  both     yes yes 0 no 0 patt_none
4   168   deny    0.0.0.0    0.0.0.0    localip   0.0.0.0 y all any 0 eq     1415   all both  both     yes yes 0 no 0 patt_none

Thanks!
Toth

Yes I installed ipfilter from extension dvd, and use this menus:
smit/Communications Applications and Services/TCP/IP/Configure IP Security (IPv4)
Logged
Michael
Administrator
Hero Member
*****
Offline Offline

Posts: 466
« Reply #1 on: August 17, 2008, 03:12:59 PM »
If it is only filtering, you could use bos.net.ipsec instead. However, if you need NAT functionality - I'll need to study as well.

p.s. I assume you mean ipfilter from the extension CD, or as a download.
Logged
Toth
Full Member
***
Offline Offline

Posts: 22
« on: August 16, 2008, 05:59:45 AM »
Hi!
I try use ipfilter under Aix 5.3 TL6. But I don't understand filter rules.
I want to filtering 1 ports packets.
First deny all packet to 1058 port number from all hosts, and allow connection from some host to 1058.
genfilt -v 4 -a P -s LOCALIP -m 255.255.255.255 -d REMOTEIP -M 255.255.255.255 -g Y-c all -o any -p 0 -O eq -P 1058 -r L -w O -l Y -f Y -i all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d LOCALIP -M 0.0.0.0 -g Y -c any -o any -p 0 -O eq -P 1058 -r B -w B -l Y -f Y -i all

Please help me correct this rules!
Thanks!
Toth
« Last Edit: August 16, 2008, 06:41:53 AM by Toth » Logged
Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM

FastPath

New in AIX6
RBAC
Security
WPAR
Service Bulletins

InfoCenters

AIX 6.1
AIX 5.3
AIX 5.2
AIX 5.1



eXTReMe Tracker
Terms of Use and Privacy and Security Policies
Copyright 2001-2008 Michael Felt and ROOTVG.NET