Originally posted by: GMoses
I have most recently been assigned the task of implementing IPsec filter rules on AIX7.1. Definning the rules via genfilt were straight forward for a specific port's attributes to either be PERMIT-ted or DENNY-ed. , we hav an application that has a need for a block or ports starting at 5000 - 8000. In order to accomplish this, I attempted to use the IPsec stateful filter rules which allowed for action such as IF, ELSE, AND ENDIF. Provided below is the actual IPsec rules I tried using:
genfilt -v 4 -a I -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -O ge -P 5000 -D \"Set Low range Value GE 5000"
#Action: Permit Traffic
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -O any -P 0 -D \"Permit-ports >= 5000 traffic flow"
genfilt -v 4 -a L -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -D "ELSE"
genfilt -v 4 -a I -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -O ge -P 8000 -D \"Set High range Value equal 8000"
# Action: DENY Traffic
#
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -O any -P any -w I -D \
"DENY all port request that fall through."
genfilt -v 4 -a E -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -D "ENDIF"
genfilt -v 4 -a E -s 0.0.0.0 -m 0.0.0.0 -d 10.6.85.5 -M 255.255.255.0 -c tcp -D "ENDIF"
#
echo "END-Port range specifications'
As a result of using the above IPsec stateful filter rules, I found that ports 5000 and 8000 were open, while all other in between the range were closed. Can anyone assist me with how to get the in-between (5001-7999) port status open.
#AIX-Forum