wiki

To start firewall in AIX you need few packages to be installed:

• bos.msg.en_US.net.ipsec
• bos.net.ipsec.keymgt
• bos.net.ipsec.rte
• clic.rte.kernext
• clic.rte.lib

To work with TCP/IP filters you only need a few commands, which is explained here and then used in the next section. If you're familiar with AIX commands you see that these follow the same logic of having descriptive prefixes in their names, like mk, ls, and rm, followed by the filt suffix.

List filters rules present in the table. When created, each rule is assigned a number, which can be easily seen using this command.

Adds a filter rule to the table. This is the one you use to create new filters. If you do not specify a position with the –n parameter, the new rule is added at the end of the table.

Used to change existing filter rules. You need to provide the rule ID to indicate which rule you want to modify. Rule 1 is the default rule and can't be changed with this command.
  

The rm suffix should sound familiar with any UNIX administrator. You use this command whenever you have to remove a filter rule providing its rule ID.

This is a key command that allows us to activate or deactivate the filter rules in the table, enable or disable logging for filters, and change the default rules. For the changes done to the filters table to take effect, you'll have to run this command with some arguments.
  

to start the firewall its need to execute (as root) the follow command

/usr/sbin/mkdev -c ipsec -t 4 
/usr/sbin/mkfilt -v 4 -u -z P

to stop it exec this command

/usr/sbin/rmdev -l ipsec_v4

List all IPV4 rules

/usr/sbin/lsfilt -v 4 -O

1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all
 packets 0 all
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 172.16.22.0 255.255.255.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both
 no all packets 0 all

List all active IPV4 rules

/usr/sbin/lsfilt -v 4 -O -a

One server with IP address (10.0.0.1) configured on en0 logical interface IPSEC Rules :

• PERMIT SSH request to server (10.0.0.1) from only one client (10.0.0.2)
• DENY and “LOG” all other SSH connections
• DENY ALL packets

Recommandations

• Use TTY or VTY connections for the first AIX filtering configuration.
• add client hostname in /etc/hosts server
• Use hostname in genfilt rules for this example.

• check IP host resolution

# host server

server is 10.0.0.1

# host client

client is 10.0.0.2

Prepared syslog to record logs of rejected packets

# echo "local4.debug /var/adm/ipsec.log rotate size 100k files 4" >> /etc/syslog.conf
# touch /var/adm/ipsec.log
# refresh -s syslogd

For each rule, you have to specify -l Y/N for logging yes or no

Backup old rules

# lsfilt -v4 >> /tmp/lsfilt.bkp

Example of IPSec rules script

#!/usr/bin/ksh

# Remove all user rules
rmfilt -v 4 -n all

# Activate rules
mkfilt -v 4 -u

# Stop ipv4 LOG
mkfilt -v 4 -g stop

# DENY ALL
mkfilt -v 4 -u -z D

# PERMIT SSH request from client to server on en0 interface
genfilt -v 4 -a P -s client -d server -g N -c tcp -o gt -p 1023 -O eq -P 22 -r L -w I -l N -f Y -i en0

# PERMIT SSH  answer from server to client on en0 interface
genfilt -v 4 -a P -s server -d client -g N -c tcp/ack -o eq -p 22 -O gt -P 1023 -r L -w O -l N -f Y -i en0

# DENY and LOG all other SSH request on en0 interface
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -g N -c tcp -O eq -P 22 -r L -w I -l Y -f Y -i en0

# Activate rules
mkfilt -v 4 -u

# start ipv4 LOG to /var/adm/ipsec.log (requires syslog 
mkfilt -v4 -g start

# Display Rules list
lsfilt -v4 -O

In ipsec.log trace below you can see that 10.0.0.5 is not authorised to request SSH server.

#tail -f /var/adm/ipsec.log

Feb 15 16:16:57 server local4:notice ipsec_logd: Filter logging daemon ipsec_logd (level 2.20) initialized at 16:16:57 on 02/15/13
Feb 15 16:17:10 server local4:info ipsec_logd: #:4 R:d  I:10.0.0.1 S:10.0.0.5 D:10.0.0.1 P:tcp/ack SP:34804 DP:22 R:l I:en0 F:n T:0 L:44