This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ===== IPSec Firewall AIX ===== Chek if it's installed: <code> lslpp -l | grep ipsec </code> Start: <code> smit ipsec4 Start/Stop IP Security Start IP Security Start IP Security [Now and After Reboot] </code> ==== Filter only one IP and one port ==== Specific network interface: <code> genfilt -v4 -a D -s 10.149.128.122 -m 255.255.255.0 -d 10.149.128.123 -M 255.255.255.0 -g N -c tcp -o eq -p 80 -r L -w I -l N -f Y -i en0 </code> All interfaces: <code> genfilt -v4 -a D -s 10.149.128.122 -m 255.255.255.0 -d 10.149.128.123 -M 255.255.255.0 -g N -c tcp -o eq -p 80 -r L -w I -l N -f Y -i all </code> The same but locally: <code> genfilt -v4 -a D -s 10.149.128.122 -m 255.255.255.0 -d 10.149.128.123 -M 255.255.255.0 -g N -c tcp -O eq -P 80 -r L -w O -l N -f Y -i en0 </code> The same but locally with all interfaces: <code> genfilt -v4 -a D -s 10.149.128.122 -m 255.255.255.0 -d 10.149.128.123 -M 255.255.255.0 -g N -c tcp -O eq -P 80 -r L -w O -l N -f Y -i all </code> ¿What meaning the above? * -v4: use IPv4 rles * -a D: action Deny * -s 10.149.128.122: source address * -m 255.255.255.0: source subnet mask * -d 10.149.128.123: destination address * -M 255.255.255.0: destination subnet mask * -g N: use source routing No * -c tcp: apply to tcp protocol * -O eq: destination port condition (lt, le, gt, ge, eq, neq, and any) * -P: destination port * -r L: apply the rule for destined and local packets * -w O: apply the rule for outbound packets * -l N: no log * -f Y: Control all packets fragmented or no * -i all: all interfaces Apply changes: <code> mkfilt -g start mkfilt -u </code> List rules: <code> lsfilt -a -v4 </code> Restart IPSec: <code> smit ipsec4 </code> === Remove rules === Remove all rules: <code> rmfilt -v4 -n all mkfilt -g start mkfilt -u </code> ==== References ==== * https://www.ibm.com/support/knowledgecenter/en/ssw_aix_71/com.ibm.aix.cmds2/genfilt.htm