AIX操作系统支持静态的IP包过滤功能,您可以利用这一功能来保护连接在网络上的服务器。在使用这一功能之前,您需要安装以下软件包:
bos.net.ipsec.keymgt
bos.net.ipsec.rte
然后您就可以进行包过滤的配置了。
首先运行smitty ipsec4, 选择Advanced IP Security Configuration->Configure IP Security Filter Rules->Add an IP Security Filter Rule,然后在其中填写过滤的细节。具体介绍如下:
Rule Action 操作:
deny
拒绝
permit
允许
IP Source Address 源地址。可以是 IP 地址或主机名。
IP Source Mask 比较位掩码。设置为“1”的位表示源地址中对应的位将被比较。
IP Destination Address 目标地址。可以是 IP 地址或主机名。
IP Destination Mask 目标比较位掩码。设置为“1”的位表示目标地址中对应的位将被比较。
Apply to Source Routing? (PERMIT/inbound only) 源路由控制:yes 或 no。决定是(yes)否(no)允许Source Routing包。
Protocol 协议。值可以是 udp、icmp、tcp、tcp/ack、ospf、pip、esp、ah 和 all。
Source Port / ICMP Type Operation 源端口或 ICMP 类型操作。可以是等于(eq)、大于(gt)、小于(lt)、不等于(neq)、小于等于(le)、大于等于(ge)、任何(any)。
Source Port Number / ICMP Type 源端口或 ICMP 类型值。 ICMP 类型值列出如下:
0 = Echo Reply
3 = Destination Unreachable
4 = Source Quench
5 = Redirect
8 = Echo Request
11 = Time Exceeded
12 = Parameter Problem
13 = Timestamp Request
14 = Timestamp Reply
15 = Information Request
16 = Information Reply
A1 = Address Format Request
A2 = Address Format Reply
Destination Port / ICMP Code Operation 目标端口或 ICMP 代码操作。可以是等于(eq)、大于(gt)、小于(lt)、不等于(neq)、小于等于(le)、大于等于(ge)、任何(any)。
Destination Port Number / ICMP Type 目标端口或 ICMP 代码值。ICMP类型对应的代码值列出如下:
TYPE = 0 - Echo Reply sent by:
0 = (no special meaning) host, router
TYPE = 3 - Destination Unreachable sent by:
0 = network unreachable router
1 = host unreachable router
2 = protocol unreachable host
3 = port unreachable host
4 = fragmentation needed but impossible router
because of 'don't fragment' command
5 = source route not reachable router
TYPE = 4 - Source Quench sent by:
0 = datagram could not be received host, router
or routed
TYPE = 5 - Redirect sent by:
redirection of all datagrams ...
0 = ...to a specific IP network router
1 = ...to a specific IP host router
2 = ...of a spedific type of service and network router
3 = ...of a specific type of service and host router
TYPE = 8 - Echo Request sent by:
0 = (no special meaning) host, router
TYPE = 11 - Time Exceeded sent by:
0 = TTL set to 0 router
1 = reassembly timer exceeded host
TYPE = 12 - Parameter Problem sent by:
0 = the ICMP header's pointer identifies host, router
a faulty octett within the datagram
TYPE = 13/14 - Timestamp Request/Reply sent by:
0 = (no special meaning) host, router
TYPE = 15/16 - Information Request/Reply sent by:
0 = (no special meaning) host, router
TYPE = A1 - Address Format Request sent by:
0 = (no special meaning) host, router
TYPE = A2 - Address Format Reply sent by:
n = [number of bits in a subnet mask] host, router
Routing 路由:
route
转发的信息包
local
本地目标/源信息包
both
二者
Direction 方向。
inbond
传入的信息包
outbound
传出的信息包
both
二者
Log Control 日志控制。
yes
包含在日志中
no
不包含在日志中。
Fragmentation Control 分段控制。
all packets
应用到分段头部分、分段部分和非分段部分
fragments and fragment headers only
只应用于分段部分和分段头部分
unfragmented packets only
只应用于非分段部分
fragment headers and unfragmented packets only
只应用于非分段部分和分段头部分
Tunnel ID 报文封装标识。
Interface 接口,如 tr0 或 en0。
配置完成后选择Move IP Security Filter Rules调整适合的过滤器顺序,然后选择 Start/Stop IP Security启动过滤器。
使用lsfilt可以按顺序列出当前配置的过滤器。