unixadmin.free.fr just another IBM blog and technotes backup


Simple AIX ipv4 filtering configuration – memo

In this example :
- One server with IP address ( configured on en0 logical interface
IPSEC Rules :
- PERMIT SSH request to server ( from only one client (
- DENY and "LOG" all other SSH connections
- DENY ALL packets


To start firewall in AIX you need few packages to be installed:

- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib

- Use TTY or VTY connections for the first AIX filtering configuration.
- add client hostname in /etc/hosts server
- Use hostname in genfilt rules for this example.

- check IP host resolution

# host server
server is

# host client
client is

Prepared syslog to record logs of rejected packets

# echo "local4.debug /var/adm/ipsec.log rotate size 100k files 4" >> /etc/syslog.conf
# touch /var/adm/ipsec.log
# refresh -s syslogd

Backup old rules

# lsfilt -v4 >> /tmp/lsfilt.bkp

Example of IPSec rules script


# Remove all user rules
rmfilt -v 4 -n all

# Activate rules
mkfilt -v 4 -u

# Stop ipv4 LOG
mkfilt -v 4 -g stop

mkfilt -v 4 -u -z D

# PERMIT SSH request from client to server on en0 interface
genfilt -v 4 -a P -s client -d server -g N -c tcp -o gt -p 1023 -O eq -P 22 -r L -w I -l N -f Y -i en0

# PERMIT SSH  answer from server to client on en0 interface
genfilt -v 4 -a P -s server -d client -g N -c tcp/ack -o eq -p 22 -O gt -P 1023 -r L -w O -l N -f Y -i en0

# DENY and LOG all other SSH request on en0 interface
genfilt -v 4 -a D -s -m -d -M -g N -c tcp -O eq -P 22 -r L -w I -l Y -f Y -i en0

# Activate rules
mkfilt -v 4 -u

# start ipv4 LOG to /var/adm/ipsec.log
mkfilt -v4 -g start

# Display Rules list
lsfilt -v4 -O

In ipsec.log trace below you can see that is not authorised to request SSH server.

#tail -f /var/adm/ipsec.log

Feb 15 16:16:57 server local4:notice ipsec_logd: Filter logging daemon ipsec_logd (level 2.20) initialized at 16:16:57 on 02/15/13
Feb 15 16:17:10 server local4:info ipsec_logd: #:4 R:d  I: S: D: P:tcp/ack SP:34804 DP:22 R:l I:en0 F:n T:0 L:44




Taggé comme: Aucun commentaire