AIX防火墙策略

AIX防火墙策略

删除 所有策略rmfilt -v 4 -n all1、查看所有deny的策略，注意rule no 和端口地址1,root@ODS_DB1[/tmp/ibmsupt]# lsfilt |grep -p 0.0.0.0Beginning of IPv4 filter rules.

Rule 242:Rule action : denySource Address : 0.0.0.0Source Mask : 0.0.0.0Destination Address : 192.168.10.188Destination Mask : 255.255.255.255Source Routing : yesProtocol : allSource Port : gt 1023Destination Port : eq 50000Scope : bothDirection : bothLogging control : noFragment control : all packetsTunnel ID number : 0Interface : allAuto-Generated : noExpiration Time : 0Description :

Rule 243:Rule action : denySource Address : 0.0.0.0Source Mask : 0.0.0.0Destination Address : 192.168.10.190Destination Mask : 255.255.255.255Source Routing : yesProtocol : allSource Port : gt 1023Destination Port : eq 50000Scope : bothDirection : bothLogging control : noFragment control : all packetsTunnel ID number : 0Interface : allAuto-Generated : noExpiration Time : 0Description :

Rule 244:Rule action : denySource Address : 0.0.0.0Source Mask : 0.0.0.0Destination Address : 192.168.10.190Destination Mask : 255.255.255.255Source Routing : yesProtocol : allSource Port : gt 1023Destination Port : eq 23Scope : bothDirection : bothLogging control : noFragment control : all packetsTunnel ID number : 0Interface : allAuto-Generated : noExpiration Time : 0Description :

Rule 245:Rule action : denySource Address : 0.0.0.0Source Mask : 0.0.0.0Destination Address : 192.168.10.188Destination Mask : 255.255.255.255Source Routing : yesProtocol : allSource Port : gt 1023Destination Port : eq 23Scope : bothDirection : bothLogging control : noFragment control : all packetsTunnel ID number : 0Interface : allAuto-Generated : noExpiration Time : 0Description :

2 删除需要deny的策略代码(注意删除了一条策略后，会自动向前补一条。如果要删除需要重新查看后删除)2,root@ODS_DB1[/tmp/ibmsupt]# rmfilt -v 4 -n 242 Filter rule 242 for IPv4 has been removed successfully.

3、添加路由策略 注意IP地址 掩码 端口3,genfilt -v 4 -a P -s 192.168.10.141 -m 255.255.255.255 -d 192.168.10.191 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000genfilt -v 4 -a P -s 192.168.10.143 -m 255.255.255.255 -d 192.168.10.191 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000genfilt -v 4 -a P -s 192.168.10.141 -m 255.255.255.255 -d 192.168.10.189 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000genfilt -v 4 -a P -s 192.168.10.143 -m 255.255.255.255 -d 192.168.10.189 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000

4、添加 deny 路由规则和端口4, genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 192.168.10.191 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000genfilt -v 4 -a D -s 0.0.0.0 -m 0.0.0.0 -d 192.168.10.189 -M 255.255.255.255 -o gt -p 1023 -O eq -P 50000

5、更新路由规则5,mkfilt -v 4 -u

6、查看时候生效(包含deny)6,lsfilt |grep -p 192.168.10.141lsfilt |grep -p 0.0.0.0

121 permit 192.168.10.0 255.255.255.224 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none 122 permit 192.168.10.245 255.255.255.255 136.5.9.51 255.255.255.255 yes all gt 1023 eq 2201 both both no all packets 0 all 0 none 123 deny 0.0.0.0 0.0.0.0 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none

121 permit 192.168.10.0 255.255.255.224 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none 122 permit 192.168.10.245 255.255.255.255 136.5.9.51 255.255.255.255 yes all gt 1023 eq 2201 both both no all packets 0 all 0 none 123 permit 192.168.10.178 255.255.255.0 136.5.9.51 255.255.255.255 yes all gt 1023 eq 2201 both both no all packets 0 all 0 none 124 deny 0.0.0.0 0.0.0.0 136.5.9.51 255.255.255.255 yes all gt 1 eq 2201 both both no all packets 0 all 0 none

genfilt -v 4 -n 123 -a P -s 192.168.10.178 -m 255.255.255.0 -d 136.5.9.51 -M 255.255.255.255 -o gt -p 1023 -O eq -P 2201

ps:如果需要一个段的IP如

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。