Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

AIX firewall accept established connection

Status
Not open for further replies.

Michael1457

Technical User
Sep 29, 2016
2
RO
I'm trying to configure a firewall for AIX to accept incoming connections on ports 22 and 443 and deny everything else. All is ok; the server accepts connections only on 22 and 443, but after that I also need to accept all outgoing connections -- ssh and telnet, for example. So I started with
Code:
[tt]genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 22 -w I -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 443 -w I -i all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O any -P 0 -w I -i all[/tt]
Afterwards, I had to accept outgoing connections, so I introduced another rule:
Code:
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 22 -w I -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 443 -w I -i all
**genfilt -v 4 -a P -s x.x.x.x -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -c tcp -o any -p 0 -O any -P 0 -r L -w O -i all**
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O any -P 0 -w I -i all
and after that tried more rules:
Code:
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c tcp/syn -o any -p 0 -O any -P 0 -w O -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c tcp -o any -p 0 -O any -P 0 -w O -i all
But outgoing connections still not working, does anyone have any knowledge about this?
 
hmm,
it works for me but I did it as follows - simple example for adding additional ssh/22 rule on existing configuration:

Code:
# rmfilt -v 4 -n all
Filter rule 3 for IPv4 has been removed successfully.
Filter rule 4 for IPv4 has been removed successfully.
Filter rule 5 for IPv4 has been removed successfully.
# genfilt -v 4 -a P -s 10.10.10.49 -m 255.255.255.0 -d 10.10.10.244 -M 255.255.255.0 -g Y -O eq -P 22 -w I -i all
Filter rule 3 for IPv4 has been added successfully.
# genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -O eq -P 22 -w I -i all
Filter rule 4 for IPv4 has been added successfully.
# mkfilt -v 4 -u -g start

----==== adding new ====------
# genfilt -v 4 -a P -s 192.168.10.207 -m 255.255.254.0 -d 0.0.0.0 -M 0.0.0.0 -O eq -P 22 -w I -i all
Filter rule 5 for IPv4 has been added successfully.
# ckfilt -v 4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|10.10.10.49|255.255.255.0|10.10.10.244|255.255.255.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
[COLOR=#EF2929]4|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
5|permit|192.168.10.207|255.255.254.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||[/color]
0||0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|0|???|0|???|0|?????|????????|no|???????|0||0|||
# IP=192.168.10.207;PORT=22;[COLOR=#EF2929]mvfilt[/color] -v4 -p $(lsfilt -v4 -O|awk -F\| -vr=${PORT} -vc=${IP} '$2=="permit"&&$3==c&&$12==r{print$1}') -n $(lsfilt -v4 -O|awk -F\| -vr=${PORT} '$2=="deny"&&$12==r{print$1}')
Filter rule 5 for IPv4 has been moved to 4 successfully.
# ckfilt -v 4 -O
Beginning of IPv4 filter rules.
2|*** Dynamic filter placement rule for IKE tunnels ***|no
3|permit|10.10.10.49|255.255.255.0|10.10.10.244|255.255.255.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
[COLOR=#EF2929]4|permit|192.168.10.207|255.255.254.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
5|deny|0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||[/color]
0||0.0.0.0|0.0.0.0|0.0.0.0|0.0.0.0|no|0|???|0|???|0|?????|????????|no|???????|0||0|||
# mkfilt -v 4 -u -g start
#

I just can't now explain the difference between rules:
|permit|192.168.10.207|255.255.254.0|0.0.0.0|0.0.0.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||
and
|permit|0.0.0.0|0.0.0.0|192.168.10.207|255.255.254.0|yes|all|any|0|eq|22|both|inbound|no|all packets|0|all|0|||

-- the host with IP 192.168.10.207 can ssh access the host with any of above rule...(doesn't matter 192.168.10.207|255.255.254.0 is on source side or on target in the rule)


 
Hi @w5000, ssh works from localhost but I need all ports to work from localhost to other hosts, like telnet, wget..80, 443, etc..
 
hello,
I have checked and my setting doesn't block any connection from local-host to other hosts. It only grants access co incoming ssh connection for the two IPs (permit rules).
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top