AIX firewall accept established connection

[Michael1457]

I'm trying to configure a firewall for AIX to accept incoming connections on ports 22 and 443 and deny everything else. All is ok; the server accepts connections only on 22 and 443, but after that I also need to accept all outgoing connections -- ssh and telnet, for example. So I started with

[tt]genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 22 -w I -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 443 -w I -i all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O any -P 0 -w I -i all[/tt]

Afterwards, I had to accept outgoing connections, so I introduced another rule:

genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 22 -w I -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 443 -w I -i all
**genfilt -v 4 -a P -s x.x.x.x -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -c tcp -o any -p 0 -O any -P 0 -r L -w O -i all**
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O any -P 0 -w I -i all

and after that tried more rules:

genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c tcp/syn -o any -p 0 -O any -P 0 -w O -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c tcp -o any -p 0 -O any -P 0 -w O -i all

But outgoing connections still not working, does anyone have any knowledge about this?

 

[w5000]

hmm,
it works for me but I did it as follows - simple example for adding additional ssh/22 rule on existing configuration:

# rmfilt -v 4 -n all
Filter rule 3 for IPv4 has been removed successfully.
Filter rule 4 for IPv4 has been removed successfully.
Filter rule 5 for IPv4 has been removed successfully.
# genfilt -v 4 -a P -s 10.10.10.49 -m 255.255.255.0 -d 10.10.10.244 -M 255.255.255.0 -g Y -O eq -P 22 -w I -i all
Filter rule 3 for IPv4 has been added successfully.
# genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -O eq -P 22 -w I -i all
Filter rule 4 for IPv4 has been added successfully.
# mkfilt -v 4 -u -g start

----==== adding new ====------
# genfilt -v 4 -a P -s 192.168.10.207 -m 255.255.254.0 -d 0.0.0.0 -M 0.0.0.0 -O eq -P 22 -w I -i all
Filter rule 5 for IPv4 has been added successfully.
# ckfilt -v 4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|10.10.10.49|255.255.255.0|10.10.10.244|255.255.255.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
[COLOR=#EF2929]4|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
5|permit|192.168.10.207|255.255.254.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||[/color]
0||0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|0|???|0|???|0|?????|????????|no|???????|0||0|||
# IP=192.168.10.207;PORT=22;[COLOR=#EF2929]mvfilt[/color] -v4 -p $(lsfilt -v4 -O|awk -F\| -vr=${PORT} -vc=${IP} '$2=="permit"&&$3==c&&$12==r{print$1}') -n $(lsfilt -v4 -O|awk -F\| -vr=${PORT} '$2=="deny"&&$12==r{print$1}')
Filter rule 5 for IPv4 has been moved to 4 successfully.
# ckfilt -v 4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|10.10.10.49|255.255.255.0|10.10.10.244|255.255.255.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
[COLOR=#EF2929]4|permit|192.168.10.207|255.255.254.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
5|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||[/color]
0||0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|0|???|0|???|0|?????|????????|no|???????|0||0|||
# mkfilt -v 4 -u -g start
#

I just can't now explain the difference between rules:
|permit|192.168.10.207|255.255.254.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
and
|permit|0.0.0.0|0.0.0.0|192.168.10.207|255.255.254.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||

-- the host with IP 192.168.10.207 can ssh access the host with any of above rule...(doesn't matter 192.168.10.207|255.255.254.0 is on source side or on target in the rule)

 

[Michael1457]

Hi @w5000, ssh works from localhost but I need all ports to work from localhost to other hosts, like telnet, wget..80, 443, etc..

 

[w5000]

hello,
I have checked and my setting doesn't block any connection from local-host to other hosts. It only grants access co incoming ssh connection for the two IPs (permit rules).