User Tools

Site Tools


aix:ipfilter

IPfilter

IPfilter is a firewall, with port nating. You can also use it to log all connections if you create rules any to any.

IPfilter base package can be found on AIX Expansion pack.

Updates are also available on IBM web site: http://www-01.ibm.com/support/docview.wss?uid=isg1fileset1949053218

First install AIX package ipfl.rte, and updates.

Create a start/stop script

Be careful: In the following start script, ipmon (demon which log all access) is started without name resolution. If you start it with the -n option, it can slow down your ethernet connections.

[eco-aix61@root] /root> cat /etc/rc.ipf
#!/bin/ksh

##################################################
# name: ipf.sh
# purpose: script that will start or stop the
# ipfilter firewall
##################################################
# Please add an entry into /etc/syslog.conf
# *.debug         /var/log/debug.log  size 100k files 4 compress
# *.warning        /var/log/warning.log  size 100k files 4 compress

ipffile=/etc/ipf.conf
kernel=""

if [ $(bootinfo -K) != 64 ]
then
  kernel=64
fi

case "$1" in
start )
        if [ ! -e $ipffile ]
        then
          echo "Create a configuration file $ipffile"
          exit 1
        fi
        echo "Load IPfilter kernel extension"
        /usr/lib/methods/cfg_ipf$kernel -l
        echo "Load IPmon and log into syslog (IPfilter)"
        echo "Reject hosts are log into warning file"
        echo "IPmon started without IP resolution"
        ps -ef | grep -v grep | grep "/usr/sbin/ipmon" > /dev/null 2>&1
        if [ $? -ne 0 ]
        then
          /usr/sbin/ipmon$kernel -s -D
        fi
        echo "Load IPfilter Rules"
        /usr/sbin/ipf$kernel -Fa -f $ipffile
        ;;
stop )
        echo "Stop IPmon"
        for proc in $(ps -ef | grep -v grep | grep "/usr/sbin/ipmon" | awk '{print $2}')
        do
          kill $proc
        done
        echo "UnLoad IPfilter kernel extension"
        /usr/lib/methods/cfg_ipf$kernel -u
        ;;
reload )
        echo "Reload IPfilter Rules"
        /usr/sbin/ipf$kernel -Fa -f $ipffile
        ;;
status )
        genkex | grep /usr/lib/drivers/ipf > /dev/null 2>&1
        if [ $? -eq 0 ]
        then
                echo "IPFilter running"
        else
                echo "IPFilter not running"
        fi
        ;;
stat )
        echo "Rules statistics"
        ipfstat$kernel -hio
        ;;
* )
        echo "Usage: $0 (start | stop | reload | status)"
        exit 1
esac

Now create a configuration file: firewall rules

Be careful: Don't start automatically a firewall, else in case of wrong configuration you can loose all access to you server even if you restart (it's better to monitor the status of you firewall and alert if it's not started. Some rules are highly recommended

  1. the loopback (lo0) have to be allowed
  2. DNS must be reachable, else each SSH connection will wait a timeout (about 2 minutes)

[eco-aix61@root] /root> cat /etc/ipf.conf
#############
# Allow loopback
pass in quick on lo0 all
pass out quick on lo0 all
#############
# Block All
block in log on en1 proto tcp from any to any
block in log on en0 proto tcp from any to any
#############
# SSH from NIM
pass in log quick on en1 proto tcp from 10.10.10.10 to any port = 22
#############
# SSH Putty for user
pass in log quick on en1 proto tcp from pc1 to any port = 22
#############
# Telnet allow for a IP range
pass in log quick on en1 proto tcp from 11.11.11.0/16 to any port = 23
#############
# TSM client
pass out log quick on en1 proto tcp from any to tsmsrv1 port = 1500 keep state
pass in log quick on en1 proto tcp from tsmsrv1 to any port = 1501 keep state
#############
# If connection to DNS is used (ssh for example)
pass in log quick on en1 proto udp from any to any
#############
# ICMP (ping)
pass in on en1 proto icmp from any to any icmp-type echo

Now start your firewall:

[eco-aix61@root] /root> /etc/rc.ipf start
Load IPfilter kernel extension
Major 47
devno 0
sysconifg(SYS_CFGDD): File exists
Load IPmon and log into syslog (IPfilter)
Reject hosts are log into warning file
Load IPfilter Rules
unknown name "pc1"
unknown name "tsmsrv1"
unknown name "tsmsrv1"

If you want to log some connections, then add the following lines into /etc/syslog.conf and restart syslogd demon:

[eco-aix61@root] /root> cat /etc/syslog.conf
...
*.warning /var/log/syslog/warning.log rotate size 1m files 4 compress
*.debug /var/log/syslog/debug.log rotate size 1m files 4 compress

Create empty files for log, they won't be automatically created:

[eco-aix61@root] /root> mkdir -p /var/log/syslog
[eco-aix61@root] /root> for file in $(cat /etc/syslog.conf | grep -v "^#" | awk '{print $2}')
do
touch $file
done

Uncomment the entry for syslogd in /etc/rc.tcpip, or use the following command; then restart syslod:

[eco-aix61@root] /root> chrctcp -S -a syslogd
[eco-aix61@root] /root> stopsrc -s syslogd; startsrc -s syslogd
References:
aix/ipfilter.txt · Last modified: 2021/01/01 21:21 (external edit)