Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: AIX firewall accept established connection
Operating Systems AIX AIX firewall accept established connection Post 302982478 by Michael1457 on Thursday 29th of September 2016 10:23:16 AM
Old 09-29-2016
AIX firewall accept established connection
I'm trying to configure a firewall for AIX to accept incoming connections on ports 22 and 443 and deny everything else. All is ok; the server accepts connections only on 22 and 443, but after that I also need to accept all outgoing connections -- ssh and telnet, for example. So I started with
Code:
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 22 -w I -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 443 -w I -i all
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O any -P 0 -w I -i all

Afterwards, I had to accept outgoing connections, so I introduced another rule:
Code:
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 22 -w I -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O eq -P 443 -w I -i all
**genfilt -v 4 -a P -s x.x.x.x -m 255.255.255.255 -d 0.0.0.0 -M 0.0.0.0 -c tcp -o any -p 0 -O any -P 0 -r L -w O -i all**
genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d x.x.x.x -M 255.255.255.255 -c tcp -o any -p 0 -O any -P 0 -w I -i all

and after that tried more rules:
Code:
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c tcp/syn -o any -p 0 -O any -P 0 -w O -i all
genfilt -v 4 -a P -s 0.0.0.0 -m 0.0.0.0 -d 0.0.0.0 -M 0.0.0.0 -c tcp -o any -p 0 -O any -P 0 -w O -i all

But outgoing connections still not working, does anyone have any knowledge about this?
Last edited by Don Cragun; 09-29-2016 at 03:36 PM.. Reason: Change HTML tags to CODE tags.
 

10 More Discussions You Might Find Interesting

1. AIX

AIX NIM backup with Firewall

Hi- I'm using NIM functionality (AIX5.3) to backup all AIX Servers but some Servers are in the DmZ and many tcpip ports (nfs, ping,etc...) should be open and... it's really a security risks! As anyone experience about NIM Backup through Firewall? Which tcpip ports should be open? Could we... (1 Reply)
Discussion started by: nymus7
1 Replies

2. AIX

Setup Window server to accept AIX SFTP client

To all the expert out there, I have successfully setup a AIX to AIX auto-SFTP with no password requested. Now my aim is to setup a AIX to Window auto-SFTP with no password requested as well. But I faced some problem that I do not know how to solve it. I have followed the setting of AIX's... (8 Replies)
Discussion started by: kwliew999
8 Replies

3. UNIX for Advanced & Expert Users

tunneling commands and file transfers through established ssh connection

Hi - I frequently run commands, and transfer files to/from a host that uses SecurID ssh authentication. It is a real pain to have to enter the authentication information every time I want to interact with this host. I am wondering if there is a way to establish a one-time ssh connection to this... (2 Replies)
Discussion started by: cpp6f
2 Replies

4. Solaris

How to kill the TCP ESTABLISHED connection in netstat

Hello, Actually there are some bugs in application which does not close the TCP connection to other server though CORBA. We need to kill that ESTABLISHED connections as new connection are not happeneing as the allocated ports were used and showing as ESTABLISHED Is there any... (4 Replies)
Discussion started by: GIC1986
4 Replies

5. Solaris

Solaris 10 ftp connection problem (connection refused, connection timed out)

Hi everyone, I am hoping anyone of you could help me in this weird problem we have in 1 of our Solaris 10 servers. Lately, we have been having some ftp problems in this server. Though it can ping any server within the network, it seems that it can only ftp to a select few. For most servers, the... (4 Replies)
Discussion started by: labdakos
4 Replies

6. AIX

MVS DB2 Connection from AIX

Hi, I want to try to connect to a DB2 (MVS) database from an AIX, through my c++ custom program. Is anybody who knows how can I do this? Which libraries should I use? Should I have a DB2 connect installed on my AIX? Thank you in advance. (3 Replies)
Discussion started by: develo
3 Replies

7. Programming

Accept (sockets) queuing up connection requests

Yes, I guess that is what it is sort of meant to do but it is sort of a problem. Scenario: Server is running and is blocked at ACCEPT Client A connects with server Server returns from ACCEPT and moves to RECV call waiting for incoming string Client... (4 Replies)
Discussion started by: Kam5FCC
4 Replies

8. Shell Programming and Scripting

Script for checking firewall connection

Dear all I am writing a shell script to use telnet for the connection test There are 3 cases to test and detail as: /* Case 1 - The port can be connected */ # telnet host_a 20101 < /dev/null 2>&1 | grep -q Connected # echo $? return 0 /* Case 2 - The port cannot be connected */ #... (1 Reply)
Discussion started by: on9west
1 Replies

9. UNIX for Dummies Questions & Answers

I have firewall rules to open ports, why telnet refuses connection?

Alright... this question comes from the fact that I'm trying to setup postfix to relay messages to Office 365 SMTP but its giving me connection refused... I read that if you have doubts if your port is open or not you should telnet to them so thats what I did. This is a Red Hat 6.3 box. My... (4 Replies)
Discussion started by: RedSpyder
4 Replies

10. AIX

AIX LPAR FC connection to SAN

Hi all, In my system, I have HMC 7 with Power Machine 6 & 7. On the managed system, we have many lpars. In some lpars, I can see they are using virtual fiber channel to connect to DS8K storage. In search with google, I understand that it is configured with VIOS server to share the physical FC... (7 Replies)
Discussion started by: Phat
7 Replies

LEARN ABOUT LINUX

netmasks

netmasks(4)                                                        File Formats                                                        netmasks(4)

NAME

       netmasks - network mask database

SYNOPSIS

       /etc/inet/netmasks

       /etc/netmasks

DESCRIPTION

       The  netmasks file contains network masks used to implement IP subnetting. It supports both standard subnetting as specified in RFC-950 and
       variable length subnetting as specified in RFC-1519. When using standard subnetting there should be a single line for each network that  is
       subnetted in this file with the network number, any number of SPACE or TAB characters, and the network mask to use on that network. Network
       numbers and masks may be specified in the conventional IP `.' (dot) notation (like IP host addresses, but with zeroes for the  host  part).
       For example,

                               128.32.0.0    255.255.255.0

       can be used to specify that the Class B network 128.32.0.0 should have eight bits of subnet field and eight bits of host field, in addition
       to the standard sixteen bits in the network field.

       When using variable length subnetting, the format is identical. However, there should be a line for each subnet with the  first field being
       the  subnet  and the second field being the netmask that applies to that subnet. The users of the database, such as ifconfig(1M), perform a
       lookup to find the longest possible matching mask. It is possible to combine the  RFC-950 and  RFC-1519 form of subnet masks  in  the  net-
       masks file. For example,

                               128.32.0.0     255.255.255.0
                               128.32.27.0    255.255.255.240
                               128.32.27.16   255.255.255.240
                               128.32.27.32   255.255.255.240
                               128.32.27.48   255.255.255.240
                               128.32.27.64   255.255.255.240
                               128.32.27.80   255.255.255.240
                               128.32.27.96   255.255.255.240
                               128.32.27.112  255.255.255.240
                               128.32.27.128  255.255.255.240
                               128.32.27.144  255.255.255.240
                               128.32.27.160  255.255.255.240
                               128.32.27.176  255.255.255.240
                               128.32.27.192  255.255.255.240
                               128.32.27.208  255.255.255.240
                               128.32.27.224  255.255.255.240
                               128.32.27.240  255.255.255.240
                               128.32.64.0    255.255.255.192

       can  be  used  to  specify  different  netmasks  in different parts of the 128.32.0.0 Class B network number. Addresses 128.32.27.0 through
       128.32.27.255 have a subnet mask with 28 bits in the combined network and subnet fields  (often referred to as the subnet field) and 4 bits
       in  the  host  field.   Furthermore,  addresses  128.32.64.0  through  128.32.64.63  have a 26 bits in the subnet field. Finally, all other
       addresses in the range 128.32.0.0 through 128.32.255.255 have a 24 bit subnet field.

       Invalid entries are ignored.

SEE ALSO

       ifconfig(1M), inet(7P)

       Postel, Jon, and Mogul, Jeff, Internet Standard Subnetting Procedure, RFC 950, Network Information Center, SRI International,  Menlo  Park,
       Calif., August 1985.

       V.  Fuller,  T.  Li,  J. Yu, K. Varadhan, Classless Inter-Domain  Routing (CIDR): an Address Assignment and Aggregation Strategy, RFC 1519,
       Network Information Center, SRI International, Menlo Park, Calif., September 1993.

       T. Pummill, B. Manning, Variable Length Subnet Table For IPv4, RFC 1878, Network Information Center, SRI International, Menlo Park, Calif.,
       December 1995.

NOTES

       /etc/inet/netmasks is the official SVr4 name of the netmasks file.  The symbolic link /etc/netmasks exists for BSD compatibility.

SunOS 5.10                                                          7 Jan 1997                                                         netmasks(4)
All times are GMT -4. The time now is 11:49 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy