AIX防火墙策略

标签：除了   更新   fragment   防火墙   for   rem   tmp   ati   pack   

Rule 242:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 192.168.10.188
Destination Mask : 255.255.255.255
Source Routing : yes
Protocol : all
Source Port : gt 1023
Destination Port : eq 50000
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :

Rule 243:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 192.168.10.190
Destination Mask : 255.255.255.255
Source Routing : yes
Protocol : all
Source Port : gt 1023
Destination Port : eq 50000
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :

Rule 244:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 192.168.10.190
Destination Mask : 255.255.255.255
Source Routing : yes
Protocol : all
Source Port : gt 1023
Destination Port : eq 23
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :

Rule 245:
Rule action : deny
Source Address : 0.0.0.0
Source Mask : 0.0.0.0
Destination Address : 192.168.10.188
Destination Mask : 255.255.255.255
Source Routing : yes
Protocol : all
Source Port : gt 1023
Destination Port : eq 23
Scope : both
Direction : both
Logging control : no
Fragment control : all packets
Tunnel ID number : 0
Interface : all
Auto-Generated : no
Expiration Time : 0
Description :

2 删除需要deny的策略代码(注意删除了一条策略后，会自动向前补一条。如果要删除需要重新查看后删除)
2,
root@ODS_DB1[/tmp/ibmsupt]# rmfilt -v 4 -n 242
Filter rule 242 for IPv4 has been removed successfully.

3、添加路由策略 注意IP地址 掩码 端口
3,
genfilt -v 4 -a P -s 192.168.10.141 -m 255.255.255.255 -d 192.168.10.191 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000
genfilt -v 4 -a P -s 192.168.10.143 -m 255.255.255.255 -d 192.168.10.191 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000
genfilt -v 4 -a P -s 192.168.10.141 -m 255.255.255.255 -d 192.168.10.189 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000
genfilt -v 4 -a P -s 192.168.10.143 -m 255.255.255.255 -d 192.168.10.189 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000

4、添加 deny 路由规则和端口
4,
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 192.168.10.191 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 192.168.10.189 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000

5、更新路由规则
5,
mkfilt -v 4 -u

6、查看时候生效(包含deny)
6,
lsfilt |grep -p 192.168.10.141
lsfilt |grep -p 0.0.0.0

121 permit 192.168.10.0 255.255.255.224 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none
122 permit 192.168.10.245 255.255.255.255 136.5.9.51 255.255.255.255 yes all gt 1023 eq 2201 both both no all packets 0 all 0 none
123 deny 0.0.0.0 0.0.0.0 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none

121 permit 192.168.10.0 255.255.255.224 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none
122 permit 192.168.10.245 255.255.255.255 136.5.9.51 255.255.255.255 yes all gt 1023 eq 2201 both both no all packets 0 all 0 none
123 permit 192.168.10.178 255.255.255.0 136.5.9.51 255.255.255.255 yes all gt 1023 eq 2201 both both no all packets 0 all 0 none
124 deny 0.0.0.0 0.0.0.0 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none

genfilt -v 4 -n 123 -a P -s 192.168.10.178 -m 255.255.255.0 -d 136.5.9.51 -M 255.255.255.255 -o gt -p 1023 -O eq -P 2201

ps:如果需要一个段的IP
如

AIX防火墙策略

标签：除了   更新   fragment   防火墙   for   rem   tmp   ati   pack   

原文地址：https://blog.51cto.com/forestcui/2506458