AIX

AIX

Connect with fellow AIX users and experts to gain knowledge, share insights, and solve problems.


#Power
 View Only
  • 1.  IPsec Rules Filter

    Posted Mon July 22, 2013 11:53 AM

    Originally posted by: GMoses


    I have most recently been assigned the task of implementing IPsec filter rules on AIX7.1. Definning the rules via genfilt were straight forward for a specific port's attributes to either be PERMIT-ted or DENNY-ed.  , we hav an application that has a need for a block or ports starting at 5000 - 8000.  In order to accomplish this, I attempted to use the IPsec stateful filter rules which allowed for action such as IF, ELSE, AND ENDIF.   Provided below is the actual IPsec rules I tried using:

    genfilt -v 4 -a I -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -O ge -P 5000 -D \"Set Low range Value GE 5000"
     

    #Action: Permit Traffic

    genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -O any -P 0 -D \"Permit-ports >= 5000 traffic flow"

    genfilt -v 4 -a L -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -D "ELSE"

    genfilt -v 4 -a I -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -O ge -P 8000 -D \"Set High range Value equal 8000"

    # Action: DENY Traffic
    #
    genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -O any -P any -w I -D \
    "DENY all port request that fall through."


    genfilt -v 4 -a E -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -D "ENDIF"

     

    genfilt -v 4 -a E -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -D "ENDIF"

    #
    echo "END-Port range specifications'

     

    As a result of using the above IPsec stateful filter rules, I found that ports 5000 and 8000 were open, while all other in between the range were closed.  Can anyone assist me with how to get the  in-between (5001-7999) port status open. 


    #AIX-Forum