ROOTVG

AIX => Security => Topic started by: Toth on August 16, 2008, 05:59:45 AM


Title: ipfilter howto
Post by: Toth on August 16, 2008, 05:59:45 AM
Hi!
I try use ipfilter under Aix 5.3 TL6. But I don't understand filter rules.
I want to filtering 1 ports packets.
First deny all packet to 1058 port number from all hosts, and allow connection from some host to 1058.
genfilt -v 4 -a P -s LOCALIP -m 255.255.255.255 -d REMOTEIP -M 255.255.255.255 -g Y-c all -o any -p 0 -O eq -P 1058 -r L -w O -l Y -f Y -i all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d LOCALIP -M 0.0.0.0 -g Y -c any -o any -p 0 -O eq -P 1058 -r B -w B -l Y -f Y -i all

Please help me correct this rules!
Thanks!
Toth

Title: Re: ipfilter howto
Post by: Michael on August 17, 2008, 03:12:59 PM
If it is only filtering, you could use bos.net.ipsec instead. However, if you need NAT functionality - I'll need to study as well.

p.s. I assume you mean ipfilter from the extension CD, or as a download.

Title: Re: ipfilter howto
Post by: Toth on August 18, 2008, 06:15:32 AM
Hi!
I solved my problem. The working rules are in this rows below:
4   165    permit    remoteip   255.255.255.255   localip   255.255.255.255 y all any 0 eq    1414   all local both yes yes 0 no 0 patt_none
4   166    permit    remoteip   255.255.255.255   localip   255.255.255.255 y all any 0 eq    1415   all local both yes yes 0 no 0 patt_none
4   167   deny    0.0.0.0    0.0.0.0    localip   0.0.0.0 y all any 0 eq     1414   all both  both     yes yes 0 no 0 patt_none
4   168   deny    0.0.0.0    0.0.0.0    localip   0.0.0.0 y all any 0 eq     1415   all both  both     yes yes 0 no 0 patt_none

Thanks!
Toth

Yes I installed ipfilter from extension dvd, and use this menus:
smit/Communications Applications and Services/TCP/IP/Configure IP Security (IPv4)

Title: Re: ipfilter howto
Post by: Michael on August 19, 2008, 01:11:22 PM
Glad you got it working - especially using SMIT. I have only used SMIT for configuring the bos.net.ipsec filesets. Your command layout looks quite different from what I am used to.

On my server I have a layout looking like this:

lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|192.168.129.0|255.255.255.0|192.168.129.0|255.255.255.0|no|all|any|0|any|0|both|both|no|all packets|0|en0
4|permit|192.168.129.0|255.255.255.0|0.0.0.0|0.0.0.0|no|tcp/ack|any|0|any|0|local|outbound|no|all packets|0|en0
5|permit|0.0.0.0|0.0.0.0|192.168.129.0|255.255.255.128|no|tcp/ack|any|0|any|0|local|inbound|no|all packets|0|en0
6|permit|192.168.129.121|255.255.255.0|192.168.129.121|255.255.255.0|no|tcp|eq|22|any|0|both|both|no|all packets|0|en0
7|permit|192.168.129.121|255.255.255.128|192.168.129.121|255.255.255.128|no|tcp|any|0|eq|22|both|both|no|all packets|0|en0
8|permit|192.168.129.121|255.255.255.128|192.168.129.121|255.255.255.128|no|tcp|any|0|any|0|both|both|no|all packets|0|en0
9|permit|AAA.BBB.127.0|255.255.0.0|192.168.129.121|255.255.255.255|yes|tcp|gt|1023|eq|25|local|inbound|no|all packets|0|en0
10|permit|AAA.BBB.24.0|255.255.255.0|192.168.129.121|255.255.255.255|yes|tcp|gt|1023|eq|25|local|inbound|no|all packets|0|en0
11|permit|192.168.129.121|255.255.255.255|0.0.0.0|255.255.255.255|yes|tcp|eq|25|gt|1023|local|outbound|no|all packets|0|en0
12|permit|AAA.BBB.73.0|255.255.255.0|192.168.129.121|255.255.255.255|no|tcp|gt|1023|eq|25|local|inbound|no|all packets|0|en0
13|permit|AAA.BBB.202.28|255.255.255.255|0.0.0.0|0.0.0.0|no|tcp|gt|1023|eq|25|local|inbound|yes|all packets|0|en0
14|permit|AAA.BBB.175.114|255.255.255.255|192.168.129.121|255.255.255.255|no|tcp|gt|1023|eq|25|local|inbound|yes|all packets|0|en0
15|permit|AAA.BBB.29.65|255.255.255.192|192.168.129.121|255.255.255.255|no|tcp|any|0|eq|25|both|both|yes|all packets|0|en0
16|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|tcp|any|0|eq|25|both|inbound|yes|all packets|0|all
17|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|tcp/ack|any|0|any|0|local|outbound|no|all packets|0|en0
18|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|tcp|any|0|any|0|local|inbound|yes|all packets|0|en0
19|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|en0
0|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all


Rules 3-8 are for local traffic, 9-16 are for SMTP traffic I permit, 16 is actually my deny all rule - so I could log attempts, 17-18 were test rules for setting up inbound and outbound traffic, and rule 19 was to log all other traffic - so I could find traffic I wanted to permit, but was not being caught in an earlier rule.
Rule 0 is the 'official' default rule.

Besides ipfiltering (based on AIX bos.net.ipsec, not a package named ipfilter), I also use a tool of John's that monitors failed logins, etc. to dynamically add rules for improper activity, and optionally delete the rules after a certain delay.

Title: Re: ipfilter howto
Post by: Toth on August 21, 2008, 06:12:58 AM
Hi!
I want to filter just some ports, and don't want change any others.
Thanks for your reply!
Toth


Powered by SMF 1.1.2 | SMF © 2006-2007, Simple Machines LLC