IPfilter is a firewall, with port nating. You can also use it to log all connections if you create rules any to any.
IPfilter base package can be found on AIX Expansion pack.
Updates are also available on IBM web site: http://www-01.ibm.com/support/docview.wss?uid=isg1fileset1949053218
Be careful: In the following start script, ipmon (demon which log all access) is started without name resolution. If you start it with the -n option, it can slow down your ethernet connections.
[eco-aix61@root] /root> cat /etc/rc.ipf
#!/bin/ksh ################################################## # name: ipf.sh # purpose: script that will start or stop the # ipfilter firewall ################################################## # Please add an entry into /etc/syslog.conf # *.debug /var/log/debug.log size 100k files 4 compress # *.warning /var/log/warning.log size 100k files 4 compress ipffile=/etc/ipf.conf kernel="" if [ $(bootinfo -K) != 64 ] then kernel=64 fi case "$1" in start ) if [ ! -e $ipffile ] then echo "Create a configuration file $ipffile" exit 1 fi echo "Load IPfilter kernel extension" /usr/lib/methods/cfg_ipf$kernel -l echo "Load IPmon and log into syslog (IPfilter)" echo "Reject hosts are log into warning file" echo "IPmon started without IP resolution" ps -ef | grep -v grep | grep "/usr/sbin/ipmon" > /dev/null 2>&1 if [ $? -ne 0 ] then /usr/sbin/ipmon$kernel -s -D fi echo "Load IPfilter Rules" /usr/sbin/ipf$kernel -Fa -f $ipffile ;; stop ) echo "Stop IPmon" for proc in $(ps -ef | grep -v grep | grep "/usr/sbin/ipmon" | awk '{print $2}') do kill $proc done echo "UnLoad IPfilter kernel extension" /usr/lib/methods/cfg_ipf$kernel -u ;; reload ) echo "Reload IPfilter Rules" /usr/sbin/ipf$kernel -Fa -f $ipffile ;; status ) genkex | grep /usr/lib/drivers/ipf > /dev/null 2>&1 if [ $? -eq 0 ] then echo "IPFilter running" else echo "IPFilter not running" fi ;; stat ) echo "Rules statistics" ipfstat$kernel -hio ;; * ) echo "Usage: $0 (start | stop | reload | status)" exit 1 esac
Be careful: Don't start automatically a firewall, else in case of wrong configuration you can loose all access to you server even if you restart (it's better to monitor the status of you firewall and alert if it's not started. Some rules are highly recommended
…
[eco-aix61@root] /root> cat /etc/ipf.conf ############# # Allow loopback pass in quick on lo0 all pass out quick on lo0 all ############# # Block All block in log on en1 proto tcp from any to any block in log on en0 proto tcp from any to any ############# # SSH from NIM pass in log quick on en1 proto tcp from 10.10.10.10 to any port = 22 ############# # SSH Putty for user pass in log quick on en1 proto tcp from pc1 to any port = 22 ############# # Telnet allow for a IP range pass in log quick on en1 proto tcp from 11.11.11.0/16 to any port = 23 ############# # TSM client pass out log quick on en1 proto tcp from any to tsmsrv1 port = 1500 keep state pass in log quick on en1 proto tcp from tsmsrv1 to any port = 1501 keep state ############# # If connection to DNS is used (ssh for example) pass in log quick on en1 proto udp from any to any ############# # ICMP (ping) pass in on en1 proto icmp from any to any icmp-type echo
[eco-aix61@root] /root> /etc/rc.ipf start Load IPfilter kernel extension Major 47 devno 0 sysconifg(SYS_CFGDD): File exists Load IPmon and log into syslog (IPfilter) Reject hosts are log into warning file Load IPfilter Rules unknown name "pc1" unknown name "tsmsrv1" unknown name "tsmsrv1"
[eco-aix61@root] /root> cat /etc/syslog.conf ... *.warning /var/log/syslog/warning.log rotate size 1m files 4 compress *.debug /var/log/syslog/debug.log rotate size 1m files 4 compress
Create empty files for log, they won't be automatically created:
[eco-aix61@root] /root> mkdir -p /var/log/syslog [eco-aix61@root] /root> for file in $(cat /etc/syslog.conf | grep -v "^#" | awk '{print $2}') do touch $file done
Uncomment the entry for syslogd in /etc/rc.tcpip, or use the following command; then restart syslod:
[eco-aix61@root] /root> chrctcp -S -a syslogd [eco-aix61@root] /root> stopsrc -s syslogd; startsrc -s syslogd