Originally posted by: w5000

hello
anyone could explain why DENY rule does not work in my configuration. For test I wanted to grant ssh (22) for local and one remote host only.

I enabled "IPsec" devices in AIX and configured rules as follows:
 

mkdev -c ipsec -t 4
mkfilt -v 4 -u -z p

# lsdev -l ipsec_v4
ipsec_v4 Available IP Version 4 Security Extension

next added filter rules and activated firewall by:
# mkfilt -v4 -u

but this local AIX firewall is still allowing to access port 22/ssh from other than 192.168.3.4 remote hosts.
here is the check and sequence for rules applied:

# ckfilt -v4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|127.0.0.1|0.0.0.0|0.0.0.0|0.0.0.0|yes|tcp|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
4|permit|192.168.3.4|255.255.255.255|0.0.0.0|0.0.0.0|yes|tcp|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
5|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|tcp|any|0|eq|22|both|inbound|no|all packets|0|all|0|||

what have I done wrong?
 

Update: problem fixed

http://www-01.ibm.com/support/docview.wss?uid=isg1IV64260

Originally posted by: cochise100

must be bug in AIX security. It also does not work for me.

I can confirm that removing custom rules and adding deny for all, it works but then system is completely isolated and only console can be used.

Why we can block 22 port for all by specific IPs - no clue.

AIX 7.1 TL3 SP1