Originally posted by: The_Doctor
Questions on IPsec on AIX 7.1:
-
is there any decent documentation on IPsec for AIX..... specifically describing how to put together a simple if - else - endif construct ? (scouring Google turned up a small example in the "ckfilt" command..... but that is pretty much content free)
Below is a simple snippet of what I've attempted. No errors, but doesn't come close to working.
> # lsfilt -v 4 -O
1|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|udp|eq|4001|eq|4001|both|both|no|all packets|0|all|0|||Default Rule
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|if|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|en0|0|||is packet on en0 ?
4|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|yes|all packets|0|en0|0|||permit anything on en0
5|else|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||packet is on any other enX
6|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|yes|all packets|0|all|0|||deny inbound ssh
7|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|23|both|inbound|yes|all packets|0|all|0|||deny inbound telnet
8|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|yes|all packets|0|all|0|||permit anything else
9|endif|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||endif
0|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||Default Rule
> # ckfilt -v 4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
IF 3|if|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|en0|0|||is packet on en0 ?
| 4|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|yes|all packets|0|en0|0|||permit anything on en0
ELSE 5|else|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||packet is on any other enX
| 6|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|yes|all packets|0|all|0|||deny inbound ssh
| 7|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|23|both|inbound|yes|all packets|0|all|0|||deny inbound telnet
| 8|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|yes|all packets|0|all|0|||permit anything else
ENDIF 9|endif|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||endif
0||0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|0|???|0|???|0|?????|????????|no|???????|0||0|||
> # mkfilt -u
> # lsfilt -v 4 -O -a
1|*** Dynamic filter placement rule for IKE tunnels ***|no
2|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|yes|all packets|0|en0|0|||
3|permit|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|any|0|both|both|no|all packets|0|all|0|||
> #
The above is just for those inclined to disect the if - else - endif statements (that don't work). You may notice that my original Rule # 4 + the default rule are the only rules that get applied.
Bottom line:
-
anyone have a link to some decent documentation on IPsec for AIX, covering if - else - endif logic ?
#AIX-Forum