说明:Aix系统也有防火墙功能,比如限制个别主机来访SSH和FTP
1. 先查看系统是否启动ipsec
lsdev -Cc ipsec
什么都不显示就是没开
2. 启动 ipsec4 过滤规则:
smitty ipsec4
-> Start/Stop IP Security
-> Start IP Security
-> Start IP Security
3.检查ipsec现在可用:
# lsdev -Cc ipsec
ipsec_v4 Available IP Version 4 Security Extension
4.现在系统中应创建了两个默认的过滤规则。使用下面的命令检查这两个过滤规则:
lsfilt -v4
5.增加一个过滤规则以允许接受从10.1.1.100发到本机10.1.1.12的FTP请求:
# smitty ipsec4
-> Advanced IP Security Configuration
-> Configure IP Security Filter Rules
-> Add an IP Security Filter Rule
-> Add an IP Security Filter Rule
* Rule Action [permit]
* IP Source Address [10.1.1.100]
* IP Source Mask [255.255.255.255]
IP Destination Address [10.1.1.12]
IP Destination Mask [255.255.255.255 ]
* Apply to Source Routing? (PERMIT/inbound only) [yes]
* Protocol [all]
* Source Port / ICMP Type Operation [any]
* Source Port Number / ICMP Type [0]
* Destination Port / ICMP Code Operation [eq]
* Destination Port Number / ICMP Type [21]
* Routing [both]
* Direction [both]
* Log Control [no]
* Fragmentation Control [0]
* Interface [all]
Expiration Time (sec) [ ]
Pattern Type [none]
Pattern / Pattern File [ ]
Description [ ]
6. 增加另一个过滤规则以拒绝其它主机所有向 10.1.1.12发出的FTP请求:
# smitty ipsec4
-> Advanced IP Security Configuration
-> Configure IP Security Filter Rules
-> Add an IP Security Filter Rule
-> Add an IP Security Filter Rule
* Rule Action [deny]
* IP Source Address [0.0.0.0]
* IP Source Mask [0.0.0.0]
IP Destination Address [10.1.1.12]
IP Destination Mask [255.255.255.255 ]
* Apply to Source Routing? (PERMIT/inbound only) [yes]
* Protocol [all]
* Source Port / ICMP Type Operation [any]
* Source Port Number / ICMP Type [0]
* Destination Port / ICMP Code Operation [eq]
* Destination Port Number / ICMP Type [21]
* Routing [both]
* Direction [both]
* Log Control [no]
* Fragmentation Control [0]
* Interface [all]
Expiration Time (sec) [ ]
Pattern Type [none]
Pattern / Pattern File [ ]
Description [ ]
7.激活设置的过滤规则:
# smitty ipsec4
-> Advanced IP Security Configuration
-> Activate/Update/Deactivate IP Security Filter Rule
-> Activate / Update
DONE
