1 序言
AIX操作系统发行至今,经历数个版本,功能不断增强,就安全方面IP Security也变化不少,如动作中增加了If等功能,但这次暂且讨论配置防火墙策略及防火墙的基本操作,其他高级功能待下回分解。
2 什么是IP Security
IP Security是通过预定义的过滤器规则表中的过滤器规则定义,匹配指定的网络中的数据包,判断其通过还是被拦截,从而使得IP Security之后的网络得到安全性保证。
2.1 菜单结构
smittyà1.Communications Applications and Services
à2.TCP/IP
à3.Configure IP Security (IPv4)
à4.Start/Stop IP Security
à5.Start IP Security
à6.Stop IP Security
à7.Basic IP Security Configuration
à8.Use Internet Key Exchange Refresh Method (IKE Tunnel)
à9.List IKE Entries
à10.Add an IKE Tunnel
à11.Change/Remove IKE Entries
à12.Import Linux IKE Tunnels
à13.Activate IKE Tunnels
à14.Deactivate IKE Tunnels
à15.Export IKE Tunnels
à16.Import AIX IKE Tunnels
à17.Use Manual Session Key Refresh Method (Manual Tunnel)
à18.Change Manual IP Security Tunnel
à19.List Manual IP Security Tunnel
à20.Remove Manual IP Security Tunnel
à21.Export Manual IP Security Tunnel
à22.Import Manual IP Security Tunnel
à23.Activate Manual IP Security Tunnel
à24.Deactivate Manual IP Security Tunnel
à25.Advanced IP Security Configuration
à26.Configure IP Security Filter Rules
à27.List IP Security Filter Rules
à28.Add an IP Security Filter Rule
à29.Change IP Security Filter Rules
à30.Move IP Security Filter Rules
à31.Export IP Security Filter Rules
à32.Import IP Security Filter Rules
à33.Delete IP Security Filter Rules
à34.List Active IP Security Filter Rules
à35.Activate/Update/Deactivate IP Security Filter Rule
à36.List Encryption Modules
à37.Start/Stop IP Security Filter Rule Log
à38.Start/Stop IP Security Tracing
à39.Backup IKE Database
à40.Restore IKE Database
à41.Initialize IKE Database
à42.View IKE XML DTD
à43.Configure IP Security (IPv6)
注:每个选项前面的数字是为了便捷添加,下午如有(NUM)的格式请到上表中查找相应的选项;目录默认起始位置为TCP/IP(2);由于篇幅有限IPv6(43)参考IPv4(3)的目录结构。
3 开始设置 3.1 查看现有配置
在进行所有操作之前必须查看当前的策略,这样可以避免危险却未生效的策略被你激活而造成不必要的损失。
3.1.1 已经激活的配置
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à List Active IP Security Filter Rules(34)
结果示例:
COMMAND STATUS
Command: OK stdout: yes stderr: no
Before command completion, additional instructions may appear below.
1 *** Dynamic filter placement rule for IKE tunnels *** no
2 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all 0 none
注:以上示例均为系统默认策略。
3.1.2 所有的配置
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)àList IP Security Filter Rules(27)
结果示例:
COMMAND STATUS
Command: OK stdout: yes stderr: no
Before command completion, additional instructions may appear below.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all packets 0 all 0 none Default Rule
2 *** Dynamic filter placement rule for IKE tunnels *** no
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all 0 none Default Rule
注:以上示例均为系统默认策略。
3.2 启动/关闭 3.2.1 启动
Configure IP Security (IPv4)(3)à Start/Stop IP Security(4)à Start IP Security(5)
Start IP Security
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
Start IP Security [Now and After Reboot] +
Deny All Non_Secure IP Packets [no] +
选项
Start IP Security:Now and After Reboot(现在和重启之后)|After Reboot(重启之后)
Deny All Non_Secure IP Packets:不可选择YES,否则你自己都将无法登陆。
3.2.2 关闭
Configure IP Security (IPv4)(3)à Start/Stop IP Security(4)à Stop IP Security(6)
Stop IP Security
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
KEEP definition in database [yes] +
说明
直接回车即可。
3.3 激活/更新/停用策略
在接下来的讲解中,为了使策略激活/更新/停用,不必每次都去重启IP Security,而只需要选择激活/更新/停用即可。
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)àActivate/Update/Deactivate IP Security Filter Rule(35)
Activate/Update/Deactivate IP Security Filter Rule
Move cursor to desired item and press Enter.
Activate / Update
Deactivate
说明
Activate / Update :激活/更新。
Deactivate :停用。
3.4 配置策略 3.4.1 添加策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Add an IP Security Filter Rule(28)
Add an IP Security Filter Rule
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[TOP] [Entry Fields]
* Rule Action [permit] +
* IP Source Address []
* IP Source Mask []
IP Destination Address []
IP Destination Mask []
* Apply to Source Routing? (PERMIT/inbound only) [yes] +
* Protocol [all] +
* Source Port / ICMP Type Operation [any] +
* Source Port Number / ICMP Type [0] #
* Destination Port / ICMP Code Operation [any] +
* Destination Port Number / ICMP Type [0] #
* Routing [both] +
* Direction [both] +
* Log Control [no] +
* Fragmentation Control [0] +
* Interface [] +
Expiration Time (sec) [] #
Pattern Type [none] +
Pattern / Pattern File []
Description []
[BOTTOM]
F1=Help F2=Refresh F3=Cancel F4=List
Esc+5=Reset Esc+6=Command Esc+7=Edit Esc+8=Image
Esc+9=Shell Esc+0=Exit Enter=Do
注:带*的选项为必填项,当然有些必填项是有默认值的,通常只需Rule Action、IP Source Address、IP Source Mask、Interface即可。
选项
Rule Action: 策略动作,具体如下:
Deny :阻塞流量。
Permit :允许流量。
If :使其成为 IF 过滤规则。
Else :使其成为 ELSE 过滤规则。
Endif :使其成为 ENDIF 过滤规则。
Shun_host :使其成为 SHUN_HOST 过滤规则。
Shun_port :使其成为 SHUN_PORT 过滤规则。
IP Source Address :指定源地址。
IP Source Mask :指定源地址掩码。
IP Destination Address :指定目的地址。
IP Destination Mask :指定目的地址掩码。
Apply to Source Routing? (PERMIT/inbound only):
应用于源路由?必须指定为 Y(是)或 N(否)。如果指定了 Y,此过滤器规则可应用于使用源路由的 IP 包。
Protocol:
协议。有效的值为:udp、icmp、icmpv6、tcp、tcp/ack、ospf、ipip、esp、ah 和 all。值 all 表示过滤器规则将应用于所有协议。也可以使用数字来指定协议(1 到 252 之间)。
Source Port / ICMP Type Operation:
源端口或 ICMP 类型操作。这是在包的源端口/ICMP 类型与在此过滤器规则中指定的源端口或 ICMP 类型(Source Port Number / ICMP Type)的比较中将使用的操作。有效的值为:lt、 le、gt、ge、eq、neq 和 any。当 -c 标志是 ospf 时,该值必须是 any。
Source Port Number / ICMP Type:
源端口或 ICMP 类型。这是将与 IP 包的源端口(或 ICMP 类型)作比较的值/类型。
Destination Port / ICMP Code Operation:
目的地端口或 ICMP 代码操作。这是在包的目的地端口/ICMP 代码与目的地端口或 ICMP 代码(Source Port Number / ICMP Type)的比较中将使用的操作。有效的值为:lt、le、gt、ge、eq、neq 和 any。当 -c 标志为 ospf 时,该值必须是 any。
Destination Port Number / ICMP Type:
目的地端口/ICMP 代码。这是将与 IP 包的目的地端口(或 ICMP 代码)作比较的值/代码。
Routing:
指定规则是应用于被转发的包(Route),还是发到或来自本地主机的包(Local),抑或是两者都适用(Both)。
Direction:
指定规则是应用于进入包(Inbound),还是输出包(Outbound),抑或是两者都适用(Both)。
Log Control:
日志控制。必须指定为 Y(是)或 N(否)。如果指定为 Y,与此过滤器规则相匹配的包将被包括在过滤器日志中。
Fragmentation Control:
碎片控制,默认为0,无法更改。
Interface:
过滤器规则将应用于的 IP 接口名称。示例为:all、tr0、en0、lo0 和 pp0。
Expiration Time (sec):
指定规则保持活动的时间量,以分钟计。expiration_time 不会将过滤规则从数据库中除去。expiration_time是关于在处理网络流量时过滤规则活动的时间量。如果没有指定 expiration_time,那么过滤规则的存在时间为无限。如果 expiration_time 是与 SHUN_PORT (-a S)或者 SHUN_HOST(-a H)过滤规则一起指定的,那么这是指一旦满足过滤规则参数时,远程端口或远程主机被拒绝或避开的时间量。如果 expiration_time 是独立于避开规则而指定的,那么这是指过滤规则装入到内核并开始处理网络流量之后,过滤规则保持活动的时间量。
Pattern Type :未知,不知道干嘛的。
Pattern / Pattern File :未知, 不知道干嘛的。
Description :描述。
3.4.2 变更策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Change IP Security Filter Rules(29)
Filter Configuration
Move cursor to desired item and press Enter. Use arrow keys to scroll.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both b
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 1.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255 yes all any 0 any 0 b
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both
说明:
选择你要变更的策略回车即可,选项描述见“添加策略”。
3.4.3 移动策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Move IP Security Filter Rules(30)
选择欲移动的策略:
Select the entry to be moved
Move cursor to desired item and press Enter. Use arrow keys to scroll.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both b
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 1.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255 yes all any 0 any 0 b
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both
选择欲与之交换的策略:
Select the Entry to be Moved to
Move cursor to desired item and press Enter. Use arrow keys to scroll.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both b
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 1.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255 yes all any 0 any 0 b
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both
3.4.4 删除策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Delete IP Security Filter Rules(33)
Filter Configuration
Move cursor to desired item and press Enter. Use arrow keys to scroll.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both b
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 1.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255 yes all any 0 any 0 b
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both
说明:
选择欲删除的策略回车即可。
3.4.5 导出策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Export IP Security Filter Rules(31)
Export IP Security Filter
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
* Export Directory Name [] /
* Filter Rules [] +
* Reverse direction on Filter Rules [yes] +
说明:
Export Directory Name :指定导出文件的路径。
Filter Rules :选择导出的策略。
Reverse direction on Filter Rules :选择顺序(默认即可)。
3.4.6 导入策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Import IP Security Filter Rules(32)
Import IP Security Filter
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
* Import Directory Name []
* Filter Rules [] +
说明:
Import Directory Name :指定导入文件的路径。
Filter Rules :指定导入策略的位置(数字)可按F4选择默认。