Tuesday, August 24, 2010

AIX 5L IPSec (packet filtering)

This short howto sets an ipsec Filter that allows all connections by default
and then how to create rule to block certain hosts and ports.

This is tested on two TLs:

5300-12-01-1016
5300-08-07-0920

Default installation of AIX 5L has IPSec disabled:

lsfilt -a -v4 -O
Can not open device /dev/ipsec4_filt.

to Start IPSEc, use smitty:


smitty ipsec4

Select Start/Stop IP SEcurity > Start IPsecurity
Deny All Non_Secure IP Packets [no]

then ENTER, this will set default to PERMIT.
the filter will then look like the ff by default:

lsfilt -a -v4 -O
1|*** Dynamic filter placement rule for IKE tunnels ***|no
2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||

now to edit the ruleset, export default rule to a file:

(NOTE: i only ran the export command so i can have the param names)

[root@UXI0017]/root>expfilt -v4 -f /tmp/ip_sec/ -l all -r
Filter rule(s) have been exported to /tmp/ip_sec/ipsec_fltr_rule.exp successfully.

the file /tmp/ip_sec/ipsec_fltr_rule.exp will then have the following:

#IPver:flt_id:act:src_addr:src_mask:dst_addr:dst_mask:src_rte:proto:src_p_op:src_p:dst_p_op:dst_p:if:scope:dir:log:frag:tun_id:auto_gen:exptime:pattern_type:pattern

which is actully just the name of the parameters used by a filter.

for an example ruleset, this will block (deny) ftp (20/21) from one host and
then block ssh from another. other machines are allowed access:

#IPver:flt_id:act:src_addr:src_mask:dst_addr:dst_mask:src_rte:proto:src_p_op:src_p:dst_p_op:dst_p:if:scope:dir:log:frag:tun_id:auto_gen:exptime:pattern_type:pattern
4 3 deny 10.129.6.122 255.255.255.255 0.0.0.0 0.0.0.0 y tcp any 0 eq  20 all local inbound yes yes 0 no 0 patt_none
4 3 deny 10.129.6.122 255.255.255.255 0.0.0.0 0.0.0.0 y tcp any 0 eq  21 all local inbound yes yes 0 no 0 patt_none
4 4 deny 10.129.12.116 255.255.255.255 0.0.0.0 0.0.0.0 y tcp any 0 eq  22 all local inbound yes yes 0 no 0 patt_none

#import the rule

[root@UX0017]/root>impfilt -v4 -f /tmp/ip_sec/
Filter rule 3 for IPv4 imported as rule 3.
Filter rule 3 for IPv4 imported as rule 4.
Filter rule 4 for IPv4 imported as rule 5.
Filter rule(s) have been imported successfully.

# update/activate the new ruleset
[root@UX0017]/root>mkfilt -v4 -u

#list/check the running v4 ruleset
[root@UX0017]/root>lsfilt -a -v4 -O
1|*** Dynamic filter placement rule for IKE tunnels ***|no
2|deny|10.129.6.122|255.255.255.255|0.0.0.0|0.0.0.0|yes|tcp|any|0|eq|20|local|inbound|yes|all packets|0|all|0|||
3|deny|10.129.6.122|255.255.255.255|0.0.0.0|0.0.0.0|yes|tcp|any|0|eq|21|local|inbound|yes|all packets|0|all|0|||
4|deny|10.129.12.116|255.255.255.255|0.0.0.0|0.0.0.0|yes|tcp|any|0|eq|22|local|inbound|yes|all packets|0|all|0|||
5|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||

hth.
Posted by at 9:54 AM
Labels:

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)