如何在AIX上实现IP包过滤的功能

王朝other·作者佚名  2008-05-18
窄屏简体版  字體: |||超大  

AIX操作系统支持静态的IP包过滤功能,您可以利用这一功能来保护连接在网络上的服务器。在使用这一功能之前,您需要安装以下软件包:

bos.net.ipsec.keymgt

bos.net.ipsec.rte

然后您就可以进行包过滤的配置了。

首先运行smitty ipsec4, 选择Advanced IP Security Configuration->Configure IP Security Filter Rules->Add an IP Security Filter Rule,然后在其中填写过滤的细节。具体介绍如下:

Rule Action 操作:

deny

拒绝

permit

允许

IP Source Address 源地址。可以是 IP 地址或主机名。

IP Source Mask 比较位掩码。设置为“1”的位表示源地址中对应的位将被比较。

IP Destination Address 目标地址。可以是 IP 地址或主机名。

IP Destination Mask 目标比较位掩码。设置为“1”的位表示目标地址中对应的位将被比较。

Apply to Source Routing? (PERMIT/inbound only) 源路由控制:yes 或 no。决定是(yes)否(no)允许Source Routing包。

Protocol 协议。值可以是 udp、icmp、tcp、tcp/ack、ospf、pip、esp、ah 和 all。

Source Port / ICMP Type Operation 源端口或 ICMP 类型操作。可以是等于(eq)、大于(gt)、小于(lt)、不等于(neq)、小于等于(le)、大于等于(ge)、任何(any)。

Source Port Number / ICMP Type 源端口或 ICMP 类型值。 ICMP 类型值列出如下:

0 = Echo Reply

3 = Destination Unreachable

4 = Source Quench

5 = Redirect

8 = Echo Request

11 = Time Exceeded

12 = Parameter Problem

13 = Timestamp Request

14 = Timestamp Reply

15 = Information Request

16 = Information Reply

A1 = Address Format Request

A2 = Address Format Reply

Destination Port / ICMP Code Operation 目标端口或 ICMP 代码操作。可以是等于(eq)、大于(gt)、小于(lt)、不等于(neq)、小于等于(le)、大于等于(ge)、任何(any)。

Destination Port Number / ICMP Type 目标端口或 ICMP 代码值。ICMP类型对应的代码值列出如下:

TYPE = 0 - Echo Reply sent by:

0 = (no special meaning) host, router

TYPE = 3 - Destination Unreachable sent by:

0 = network unreachable router

1 = host unreachable router

2 = protocol unreachable host

3 = port unreachable host

4 = fragmentation needed but impossible router

because of 'don't fragment' command

5 = source route not reachable router

TYPE = 4 - Source Quench sent by:

0 = datagram could not be received host, router

or routed

TYPE = 5 - Redirect sent by:

redirection of all datagrams ...

0 = ...to a specific IP network router

1 = ...to a specific IP host router

2 = ...of a spedific type of service and network router

3 = ...of a specific type of service and host router

TYPE = 8 - Echo Request sent by:

0 = (no special meaning) host, router

TYPE = 11 - Time Exceeded sent by:

0 = TTL set to 0 router

1 = reassembly timer exceeded host

TYPE = 12 - Parameter Problem sent by:

0 = the ICMP header's pointer identifies host, router

a faulty octett within the datagram

TYPE = 13/14 - Timestamp Request/Reply sent by:

0 = (no special meaning) host, router

TYPE = 15/16 - Information Request/Reply sent by:

0 = (no special meaning) host, router

TYPE = A1 - Address Format Request sent by:

0 = (no special meaning) host, router

TYPE = A2 - Address Format Reply sent by:

n = [number of bits in a subnet mask] host, router

Routing 路由:

route

转发的信息包

local

本地目标/源信息包

both

二者

Direction 方向。

inbond

传入的信息包

outbound

传出的信息包

both

二者

Log Control 日志控制。

yes

包含在日志中

no

不包含在日志中。

Fragmentation Control 分段控制。

all packets

应用到分段头部分、分段部分和非分段部分

fragments and fragment headers only

只应用于分段部分和分段头部分

unfragmented packets only

只应用于非分段部分

fragment headers and unfragmented packets only

只应用于非分段部分和分段头部分

Tunnel ID 报文封装标识。

Interface 接口,如 tr0 或 en0。

配置完成后选择Move IP Security Filter Rules调整适合的过滤器顺序,然后选择 Start/Stop IP Security启动过滤器。

使用lsfilt可以按顺序列出当前配置的过滤器。

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
© 2005- 王朝網路 版權所有 導航