ROOTVG - AIX & POWER Portal

ipfilter howto

Home

Help

Login

Register

	Welcome, Guest. Please login or register.	November 22, 2008, 08:10:49 AM
		Login with username, password and session length

ROOTVG > AIX > Security > ipfilter howto

Pages: [1] Go Down

« previous next »

Print

	Author	Topic: ipfilter howto (Read 1348 times)
0 Members and 1 Guest are viewing this topic.

Toth

Full Member

Posts: 22

Re: ipfilter howto

« Reply #4 on: August 21, 2008, 06:12:58 AM »

Hi!
I want to filter just some ports, and don't want change any others.
Thanks for your reply!
Toth


	Logged

Michael

Administrator
Hero Member

Posts: 526

Re: ipfilter howto

« Reply #3 on: August 19, 2008, 01:11:22 PM »

Glad you got it working - especially using SMIT. I have only used SMIT for configuring the bos.net.ipsec filesets. Your command layout looks quite different from what I am used to.

On my server I have a layout looking like this:

lsfilt -v4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all 2|*** Dynamic filter placement rule for IKE tunnels ***|no 3|permit|192.168.129.0|255.255.255.0|192.168.129.0|255.255.255.0|no|all|any|0|any|0|both|both|no|all packets|0|en0 4|permit|192.168.129.0|255.255.255.0|0.0.0.0|0.0.0.0|no|tcp/ack|any|0|any|0|local|outbound|no|all packets|0|en0 5|permit|0.0.0.0|0.0.0.0|192.168.129.0|255.255.255.128|no|tcp/ack|any|0|any|0|local|inbound|no|all packets|0|en0 6|permit|192.168.129.121|255.255.255.0|192.168.129.121|255.255.255.0|no|tcp|eq|22|any|0|both|both|no|all packets|0|en0 7|permit|192.168.129.121|255.255.255.128|192.168.129.121|255.255.255.128|no|tcp|any|0|eq|22|both|both|no|all packets|0|en0 8|permit|192.168.129.121|255.255.255.128|192.168.129.121|255.255.255.128|no|tcp|any|0|any|0|both|both|no|all packets|0|en0 9|permit|AAA.BBB.127.0|255.255.0.0|192.168.129.121|255.255.255.255|yes|tcp|gt|1023|eq|25|local|inbound|no|all packets|0|en0 10|permit|AAA.BBB.24.0|255.255.255.0|192.168.129.121|255.255.255.255|yes|tcp|gt|1023|eq|25|local|inbound|no|all packets|0|en0 11|permit|192.168.129.121|255.255.255.255|0.0.0.0|255.255.255.255|yes|tcp|eq|25|gt|1023|local|outbound|no|all packets|0|en0 12|permit|AAA.BBB.73.0|255.255.255.0|192.168.129.121|255.255.255.255|no|tcp|gt|1023|eq|25|local|inbound|no|all packets|0|en0 13|permit|AAA.BBB.202.28|255.255.255.255|0.0.0.0|0.0.0.0|no|tcp|gt|1023|eq|25|local|inbound|yes|all packets|0|en0 14|permit|AAA.BBB.175.114|255.255.255.255|192.168.129.121|255.255.255.255|no|tcp|gt|1023|eq|25|local|inbound|yes|all packets|0|en0 15|permit|AAA.BBB.29.65|255.255.255.192|192.168.129.121|255.255.255.255|no|tcp|any|0|eq|25|both|both|yes|all packets|0|en0 16|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|tcp|any|0|eq|25|both|inbound|yes|all packets|0|all 17|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|tcp/ack|any|0|any|0|local|outbound|no|all packets|0|en0 18|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|tcp|any|0|any|0|local|inbound|yes|all packets|0|en0 19|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|en0 0|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all

Rules 3-8 are for local traffic, 9-16 are for SMTP traffic I permit, 16 is actually my deny all rule - so I could log attempts, 17-18 were test rules for setting up inbound and outbound traffic, and rule 19 was to log all other traffic - so I could find traffic I wanted to permit, but was not being caught in an earlier rule.
Rule 0 is the 'official' default rule.

Besides ipfiltering (based on AIX bos.net.ipsec, not a package named ipfilter), I also use a tool of John's that monitors failed logins, etc. to dynamically add rules for improper activity, and optionally delete the rules after a certain delay.


	Logged

Toth

Full Member

Posts: 22

Re: ipfilter howto

« Reply #2 on: August 18, 2008, 06:15:32 AM »

Hi!
I solved my problem. The working rules are in this rows below:
4   165    permit    remoteip   255.255.255.255   localip   255.255.255.255 y all any 0 eq    1414   all local both yes yes 0 no 0 patt_none
4   166    permit    remoteip   255.255.255.255   localip   255.255.255.255 y all any 0 eq    1415   all local both yes yes 0 no 0 patt_none
4   167   deny    0.0.0.0    0.0.0.0    localip   0.0.0.0 y all any 0 eq    1414   all both both yes yes 0 no 0 patt_none
4   168   deny    0.0.0.0    0.0.0.0    localip   0.0.0.0 y all any 0 eq    1415   all both both yes yes 0 no 0 patt_none

Thanks!
Toth

Yes I installed ipfilter from extension dvd, and use this menus:
smit/Communications Applications and Services/TCP/IP/Configure IP Security (IPv4)


	Logged

Michael

Administrator
Hero Member

Posts: 526

Re: ipfilter howto

« Reply #1 on: August 17, 2008, 03:12:59 PM »

If it is only filtering, you could use bos.net.ipsec instead. However, if you need NAT functionality - I'll need to study as well.

p.s. I assume you mean ipfilter from the extension CD, or as a download.


	Logged

Toth

Full Member

Posts: 22

ipfilter howto

« on: August 16, 2008, 05:59:45 AM »

Hi!
I try use ipfilter under Aix 5.3 TL6. But I don't understand filter rules.
I want to filtering 1 ports packets.
First deny all packet to 1058 port number from all hosts, and allow connection from some host to 1058.
genfilt -v 4 -a P -s LOCALIP -m 255.255.255.255 -d REMOTEIP -M 255.255.255.255 -g Y-c all -o any -p 0 -O eq -P 1058 -r L -w O -l Y -f Y -i all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d LOCALIP -M 0.0.0.0 -g Y -c any -o any -p 0 -O eq -P 1058 -r B -w B -l Y -f Y -i all

Please help me correct this rules!
Thanks!
Toth