Under Construction

Arbeiten mit AIX -> AIX-SicherheitIP-Filterung mit IPsecFilter-Regeln

Anzeigen von Filter-Regeln (SMIT)

Filter-Regeln lassen sich auch über SMIT anzeigen:

Aktive Filter-Regeln IPv4:

    • smit ipsec4 > Advanced IP Security Configuration > List Active IP Security Filter Rules
    • smit ips4_advanced > List Active IP Security Filter Rules
    • smit ips4_list_active_filter

Filter-Regel-Tabelle IPv4 (ipsec_filter):

    • smit ipsec4 > Advanced IP Security Configuration > Configure IP Security Filter Rules > List IP Security Filter Rules
    • smit ips4_advanced > Configure IP Security Filter Rules > List IP Security Filter Rules
    • smit ips4_conf_filter > List IP Security Filter Rules
    • smit ips4_list_filter

Aktive Filter-Regeln IPv6:

    • smit ipsec6 > Advanced IP Security Configuration > List Active IP Security Filter Rules
    • smit ips6_advanced > List Active IP Security Filter Rules
    • smit ips6_list_active_filter

Filter-Regel-Tabelle IPv6 (ipsec_filter):

    • smit ipsec6 > Advanced IP Security Configuration > Configure IP Security Filter Rules > List IP Security Filter Rules
    • smit ips6_advanced > Configure IP Security Filter Rules > List IP Security Filter Rules
    • smit ips6_conf_filter > List IP Security Filter Rules
    • smit ips6_list_filter

Als Beispiel  zeigen wir hier nur die Auflistung der aktiven IPv4 Filter-Regeln über den Fastpath ips4_list_active_filter:

# smit ips4_list_active_filter
                                                                     COMMAND STATUS

Command: OK            stdout: yes           stderr: no

Before command completion, additional instructions may appear below.

1 *** Dynamic filter placement rule for IKE tunnels *** no
2 permit 10.222.16.155 255.255.255.255 0.0.0.0 0.0.0.0 yes all any 0 any 0 both outbound no all packets 0 all 0 none
3 deny 10.20.170.250 255.255.255.255 10.222.16.155 255.255.255.255 yes tcp any 0 eq 22 both inbound yes all packets 0 all 0 none
4 permit 10.16.207.91 255.255.255.255 10.222.16.155 255.255.255.255 yes udp any 0 eq 657 both inbound yes all packets 0 all 0 none
5 permit 10.16.207.92 255.255.255.255 10.222.16.155 255.255.255.255 yes udp any 0 eq 657 both inbound yes all packets 0 all 0 none
6 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all 0 none

Letztlich wird das schon auf der Kommandozeile benutzte lsfilt Kommando mit den entsprechenden Optionen ausgeführt.