Solved

firewall for AIX (similar to iptables for linux)

Posted on 2011-09-05
7
5,669 Views
Last Modified: 2013-11-17
Is Ipsec the firewall for AIX boxes?
Can I install a simpler firewall on AIX?

I took a look to ipsec and it's very difficult for me... it hasn't simples rules as iptables for linux..

Where can I find a minimun steps by steps to, activate ipsec, load rules for blocking/unblocking TPC and UDp ports and disable ipsec?

Thanks...
0
Comment
Question by:sminfo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 36483404
Hi again,

as far as I know there is no firewall for AIX out there, except for IPSEC and IPFILTER (IPFL) which are shipped with AIX.

In former days there was an iptables based AIX firewall (SecureWays) from IBM, but this one has been retired and never reached AIX 5.

This old redbook mentions, apart from SecureWays, the Checkpoint Firewall-1, but I'm rather sure that this product isn't available anymore either.

http://www.redbooks.ibm.com/abstracts/sg245971.html

Remains IPSEC and IPFL. IPSEC is in bos.net.ipsec.rte, and IPFL is in ipfl.rte from the expansion DVD.

IPFL is based on the Open Source Software called IPFilter, so you might want to look at its documentation, which is here:

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/ipsec_filters_aix.htm

Here is a tiny FAQ:

https://www-304.ibm.com/support/docview.wss?uid=isg3T1011699

and here are the original docs:

http://coombs.anu.edu.au/~avalon/

containing a HOWTO:

http://www.obfuscation.org/ipf/ipf-howto.txt

Finally, here is the whole IPSEC stuff:

http://publib.boulder.ibm.com/infocenter/pseries/v5r3/index.jsp?topic=/com.ibm.aix.security/doc/security/ipsec.htm

Good luck!

wmp


0
 

Author Comment

by:sminfo
ID: 36483866
Umm I see wmp... I believe IPF is what I'm looking for.. I heard about IPFilter in my beginnings with Tru64 UNIX, but never used at that time.

One more question.. the DVD expansion is the same for AIX 7.1 or 6.1 or 5.3?

Thanks..
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 500 total points
ID: 36483928
AIX 5 and AIX 6 are shipped with their own Expansion Packs, respectively.

AIX 7 doesn't come with such a DVD, for which reasons ever, although there is a Pack available.

If you have an ESS entitlement you can download a TGZ file here:

https://www-304.ibm.com/servers/eserver/ess/ProtectedServlet.wss

Anyway, the newest IPFL version available for AIX is 4.1.13, and I strongly assume that this same version is contained on the AIX 5 as well as on the AIX 6 or 7 Packs.

wmp

0
What Is Transaction Monitoring and who needs it?

Synthetic Transaction Monitoring that you need for the day to day, which ensures your business website keeps running optimally, and that there is no downtime to impact your customer experience.

 

Author Closing Comment

by:sminfo
ID: 36484024
Yes wmp.. I installed ipfilter from AIX 7.1 expansion

[root@testaix:/] lslpp -l|grep ipf
  ipfl.man.en_US             5.3.0.0  COMMITTED  IP Filters Documentation -
  ipfl.rte                   5.3.0.0  COMMITTED  IP Filters

Now, I'll read abour it.. I have worked a lot with iptables, so I think it should be easier for me..

Thanks..
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36484033
Ok, I just checked ...

The ipfl.rte installp package version is always 5.3.0.0 on all available Expansion Packs (starting with AIX 5.3 TL 7 or so),
and this package always contains IPFilter 4.1.13 as of end 2001.

So no need to care about which pack to use.

Thx for the points!

wmp
0
 

Author Comment

by:sminfo
ID: 36484051
umm.. how can you check that version 4.1.13?

I saw also ipfilter is on version 5.1,  can I compile it on AIX?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 36484116
ipf -V

Compiling? Never tried it, could become an interesting project ...

Joke aside, I think it should be possible to compile it, given you have GCC, gmake and all that.

But as I said - never tried it.



0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
Introduction Regular patching is part of a system administrator's tasks. However, many patches require that the system be in single-user mode before they can be installed. A cluster patch in particular can take quite a while to apply if the machine…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question