In this example :
- One server with IP address (10.0.0.1) configured on en0 logical interface
IPSEC Rules :
- PERMIT SSH request to server (10.0.0.1) from only one client (10.0.0.2)
- DENY and "LOG" all other SSH connections
- DENY ALL packets
Prerequisites
To start firewall in AIX you need few packages to be installed:
- bos.msg.en_US.net.ipsec
- bos.net.ipsec.keymgt
- bos.net.ipsec.rte
- clic.rte.kernext
- clic.rte.lib
Recommandations
- Use TTY or VTY connections for the first AIX filtering configuration.
- add client hostname in /etc/hosts server
- Use hostname in genfilt rules for this example.
- check IP host resolution
# host server
server is 10.0.0.1
# host client
client is 10.0.0.2
Prepared syslog to record logs of rejected packets
# echo "local4.debug /var/adm/ipsec.log rotate size 100k files 4" >> /etc/syslog.conf
# touch /var/adm/ipsec.log
# refresh -s syslogd
Backup old rules
# lsfilt -v4 >> /tmp/lsfilt.bkp
Example of IPSec rules script
#!/usr/bin/ksh
# Remove all user rules
rmfilt -v 4 -n all
# Activate rules
mkfilt -v 4 -u
# Stop ipv4 LOG
mkfilt -v 4 -g stop
# DENY ALL
mkfilt -v 4 -u -z D
# PERMIT SSH request from client to server on en0 interface
genfilt -v 4 -a P -s client -d server -g N -c tcp -o gt -p 1023 -O eq -P 22 -r L -w I -l N -f Y -i en0
# PERMIT SSH answer from server to client on en0 interface
genfilt -v 4 -a P -s server -d client -g N -c tcp/ack -o eq -p 22 -O gt -P 1023 -r L -w O -l N -f Y -i en0
# DENY and LOG all other SSH request on en0 interface
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g N -c tcp -O eq -P 22 -r L -w I -l Y -f Y -i en0
# Activate rules
mkfilt -v 4 -u
# start ipv4 LOG to /var/adm/ipsec.log
mkfilt -v4 -g start
# Display Rules list
lsfilt -v4 -O
In ipsec.log trace below you can see that 10.0.0.5 is not authorised to request SSH server.
#tail -f /var/adm/ipsec.log
Feb 15 16:16:57 server local4:notice ipsec_logd: Filter logging daemon ipsec_logd (level 2.20) initialized at 16:16:57 on 02/15/13
Feb 15 16:17:10 server local4:info ipsec_logd: #:4 R:d I:10.0.0.1 S:10.0.0.5 D:10.0.0.1 P:tcp/ack SP:34804 DP:22 R:l I:en0 F:n T:0 L:44
Source:
http://www.ibm.com/developerworks/aix/library/au-aixfiltering/index.html
http://it.toolbox.com/blogs/unix-swing/sample-firewall-in-aix-48146