1 序言
AIX操作系統發行至今,經歷數個版本,功能不斷增強,就安全方面IP Security也變化不少,如動作中增加了If等功能,但這次暫且討論配置防火牆策略及防火牆的基本操作,其他高級功能待下回分解。
2 什么是IP Security
IP Security是通過預定義的過濾器規則表中的過濾器規則定義,匹配指定的網絡中的數據包,判斷其通過還是被攔截,從而使得IP Security之后的網絡得到安全性保證。
2.1 菜單結構
smittyà1.Communications Applications and Services
à2.TCP/IP
à3.Configure IP Security (IPv4)
à4.Start/Stop IP Security
à5.Start IP Security
à6.Stop IP Security
à7.Basic IP Security Configuration
à8.Use Internet Key Exchange Refresh Method (IKE Tunnel)
à9.List IKE Entries
à10.Add an IKE Tunnel
à11.Change/Remove IKE Entries
à12.Import Linux IKE Tunnels
à13.Activate IKE Tunnels
à14.Deactivate IKE Tunnels
à15.Export IKE Tunnels
à16.Import AIX IKE Tunnels
à17.Use Manual Session Key Refresh Method (Manual Tunnel)
à18.Change Manual IP Security Tunnel
à19.List Manual IP Security Tunnel
à20.Remove Manual IP Security Tunnel
à21.Export Manual IP Security Tunnel
à22.Import Manual IP Security Tunnel
à23.Activate Manual IP Security Tunnel
à24.Deactivate Manual IP Security Tunnel
à25.Advanced IP Security Configuration
à26.Configure IP Security Filter Rules
à27.List IP Security Filter Rules
à28.Add an IP Security Filter Rule
à29.Change IP Security Filter Rules
à30.Move IP Security Filter Rules
à31.Export IP Security Filter Rules
à32.Import IP Security Filter Rules
à33.Delete IP Security Filter Rules
à34.List Active IP Security Filter Rules
à35.Activate/Update/Deactivate IP Security Filter Rule
à36.List Encryption Modules
à37.Start/Stop IP Security Filter Rule Log
à38.Start/Stop IP Security Tracing
à39.Backup IKE Database
à40.Restore IKE Database
à41.Initialize IKE Database
à42.View IKE XML DTD
à43.Configure IP Security (IPv6)
注:每個選項前面的數字是為了便捷添加,下午如有(NUM)的格式請到上表中查找相應的選項;目錄默認起始位置為TCP/IP(2);由於篇幅有限IPv6(43)參考IPv4(3)的目錄結構。
3 開始設置 3.1 查看現有配置
在進行所有操作之前必須查看當前的策略,這樣可以避免危險卻未生效的策略被你激活而造成不必要的損失。
3.1.1 已經激活的配置
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à List Active IP Security Filter Rules(34)
結果示例:
COMMAND STATUS
Command: OK stdout: yes stderr: no
Before command completion, additional instructions may appear below.
1 *** Dynamic filter placement rule for IKE tunnels *** no
2 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all 0 none
注:以上示例均為系統默認策略。
3.1.2 所有的配置
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)àList IP Security Filter Rules(27)
結果示例:
COMMAND STATUS
Command: OK stdout: yes stderr: no
Before command completion, additional instructions may appear below.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both both no all packets 0 all 0 none Default Rule
2 *** Dynamic filter placement rule for IKE tunnels *** no
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both no all packets 0 all 0 none Default Rule
注:以上示例均為系統默認策略。
3.2 啟動/關閉 3.2.1 啟動
Configure IP Security (IPv4)(3)à Start/Stop IP Security(4)à Start IP Security(5)
Start IP Security
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
Start IP Security [Now and After Reboot] +
Deny All Non_Secure IP Packets [no] +
選項
Start IP Security:Now and After Reboot(現在和重啟之后)|After Reboot(重啟之后)
Deny All Non_Secure IP Packets:不可選擇YES,否則你自己都將無法登陸。
3.2.2 關閉
Configure IP Security (IPv4)(3)à Start/Stop IP Security(4)à Stop IP Security(6)
Stop IP Security
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
KEEP definition in database [yes] +
說明
直接回車即可。
3.3 激活/更新/停用策略
在接下來的講解中,為了使策略激活/更新/停用,不必每次都去重啟IP Security,而只需要選擇激活/更新/停用即可。
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)àActivate/Update/Deactivate IP Security Filter Rule(35)
Activate/Update/Deactivate IP Security Filter Rule
Move cursor to desired item and press Enter.
Activate / Update
Deactivate
說明
Activate / Update :激活/更新。
Deactivate :停用。
3.4 配置策略 3.4.1 添加策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Add an IP Security Filter Rule(28)
Add an IP Security Filter Rule
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[TOP] [Entry Fields]
* Rule Action [permit] +
* IP Source Address []
* IP Source Mask []
IP Destination Address []
IP Destination Mask []
* Apply to Source Routing? (PERMIT/inbound only) [yes] +
* Protocol [all] +
* Source Port / ICMP Type Operation [any] +
* Source Port Number / ICMP Type [0] #
* Destination Port / ICMP Code Operation [any] +
* Destination Port Number / ICMP Type [0] #
* Routing [both] +
* Direction [both] +
* Log Control [no] +
* Fragmentation Control [0] +
* Interface [] +
Expiration Time (sec) [] #
Pattern Type [none] +
Pattern / Pattern File []
Description []
[BOTTOM]
F1=Help F2=Refresh F3=Cancel F4=List
Esc+5=Reset Esc+6=Command Esc+7=Edit Esc+8=Image
Esc+9=Shell Esc+0=Exit Enter=Do
注:帶*的選項為必填項,當然有些必填項是有默認值的,通常只需Rule Action、IP Source Address、IP Source Mask、Interface即可。
選項
Rule Action: 策略動作,具體如下:
Deny :阻塞流量。
Permit :允許流量。
If :使其成為 IF 過濾規則。
Else :使其成為 ELSE 過濾規則。
Endif :使其成為 ENDIF 過濾規則。
Shun_host :使其成為 SHUN_HOST 過濾規則。
Shun_port :使其成為 SHUN_PORT 過濾規則。
IP Source Address :指定源地址。
IP Source Mask :指定源地址掩碼。
IP Destination Address :指定目的地址。
IP Destination Mask :指定目的地址掩碼。
Apply to Source Routing? (PERMIT/inbound only):
應用於源路由?必須指定為 Y(是)或 N(否)。如果指定了 Y,此過濾器規則可應用於使用源路由的 IP 包。
Protocol:
協議。有效的值為:udp、icmp、icmpv6、tcp、tcp/ack、ospf、ipip、esp、ah 和 all。值 all 表示過濾器規則將應用於所有協議。也可以使用數字來指定協議(1 到 252 之間)。
Source Port / ICMP Type Operation:
源端口或 ICMP 類型操作。這是在包的源端口/ICMP 類型與在此過濾器規則中指定的源端口或 ICMP 類型(Source Port Number / ICMP Type)的比較中將使用的操作。有效的值為:lt、 le、gt、ge、eq、neq 和 any。當 -c 標志是 ospf 時,該值必須是 any。
Source Port Number / ICMP Type:
源端口或 ICMP 類型。這是將與 IP 包的源端口(或 ICMP 類型)作比較的值/類型。
Destination Port / ICMP Code Operation:
目的地端口或 ICMP 代碼操作。這是在包的目的地端口/ICMP 代碼與目的地端口或 ICMP 代碼(Source Port Number / ICMP Type)的比較中將使用的操作。有效的值為:lt、le、gt、ge、eq、neq 和 any。當 -c 標志為 ospf 時,該值必須是 any。
Destination Port Number / ICMP Type:
目的地端口/ICMP 代碼。這是將與 IP 包的目的地端口(或 ICMP 代碼)作比較的值/代碼。
Routing:
指定規則是應用於被轉發的包(Route),還是發到或來自本地主機的包(Local),抑或是兩者都適用(Both)。
Direction:
指定規則是應用於進入包(Inbound),還是輸出包(Outbound),抑或是兩者都適用(Both)。
Log Control:
日志控制。必須指定為 Y(是)或 N(否)。如果指定為 Y,與此過濾器規則相匹配的包將被包括在過濾器日志中。
Fragmentation Control:
碎片控制,默認為0,無法更改。
Interface:
過濾器規則將應用於的 IP 接口名稱。示例為:all、tr0、en0、lo0 和 pp0。
Expiration Time (sec):
指定規則保持活動的時間量,以分鍾計。expiration_time 不會將過濾規則從數據庫中除去。expiration_time是關於在處理網絡流量時過濾規則活動的時間量。如果沒有指定 expiration_time,那么過濾規則的存在時間為無限。如果 expiration_time 是與 SHUN_PORT (-a S)或者 SHUN_HOST(-a H)過濾規則一起指定的,那么這是指一旦滿足過濾規則參數時,遠程端口或遠程主機被拒絕或避開的時間量。如果 expiration_time 是獨立於避開規則而指定的,那么這是指過濾規則裝入到內核並開始處理網絡流量之后,過濾規則保持活動的時間量。
Pattern Type :未知,不知道干嘛的。
Pattern / Pattern File :未知, 不知道干嘛的。
Description :描述。
3.4.2 變更策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Change IP Security Filter Rules(29)
Filter Configuration
Move cursor to desired item and press Enter. Use arrow keys to scroll.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both b
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 1.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255 yes all any 0 any 0 b
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both
說明:
選擇你要變更的策略回車即可,選項描述見“添加策略”。
3.4.3 移動策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Move IP Security Filter Rules(30)
選擇欲移動的策略:
Select the entry to be moved
Move cursor to desired item and press Enter. Use arrow keys to scroll.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both b
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 1.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255 yes all any 0 any 0 b
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both
選擇欲與之交換的策略:
Select the Entry to be Moved to
Move cursor to desired item and press Enter. Use arrow keys to scroll.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both b
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 1.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255 yes all any 0 any 0 b
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both
3.4.4 刪除策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Delete IP Security Filter Rules(33)
Filter Configuration
Move cursor to desired item and press Enter. Use arrow keys to scroll.
1 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 no udp eq 4001 eq 4001 both b
2 *** Dynamic filter placement rule for IKE tunnels *** no
3 permit 1.1.1.1 0.0.0.0 0.0.0.0 255.255.255.255 yes all any 0 any 0 b
0 permit 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 yes all any 0 any 0 both both
說明:
選擇欲刪除的策略回車即可。
3.4.5 導出策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Export IP Security Filter Rules(31)
Export IP Security Filter
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
* Export Directory Name [] /
* Filter Rules [] +
* Reverse direction on Filter Rules [yes] +
說明:
Export Directory Name :指定導出文件的路徑。
Filter Rules :選擇導出的策略。
Reverse direction on Filter Rules :選擇順序(默認即可)。
3.4.6 導入策略
Configure IP Security (IPv4)(3)à Advanced IP Security Configuration(25)à Configure IP Security Filter Rules(26)à Import IP Security Filter Rules(32)
Import IP Security Filter
Type or select values in entry fields.
Press Enter AFTER making all desired changes.
[Entry Fields]
* Import Directory Name []
* Filter Rules [] +
說明:
Import Directory Name :指定導入文件的路徑。
Filter Rules :指定導入策略的位置(數字)可按F4選擇默認。