IP security filter configuration

Edit online

Filtering can be set up to be simple, using mostly autogenerated filter rules, or can be customized by defining very specific filter functions based on the properties of the IP packets.

Each line in a filter table is known as a rule. A collection of rules determine what packets are accepted in and out of the machine and how they are directed. Matches to filter rules on incoming packets are done by comparing the source address and SPI value to those listed in the filter table. Therefore, this pair must be unique. Filter rules can control many aspects of communications, including source and destination addresses and masks, protocol, port number, direction, fragment control, source routing, tunnel, and interface type.

The types of filter rules are as follows:

Static filter rules are created in the filter table to be used for the general filtering of traffic or for associating with manual tunnels. They can be added, deleted, modified, and moved. An optional description text field can be added to identify a specific rule.
Autogenerated filter rules and user-specified filter rules (also called autogenerated filter rules) are a specific set of rules created for use of IKE tunnels. Both static and dynamic filter rules are created based on data management tunnel information and on data management tunnel negotiation.
Predefined filter rules are generic filter rules that cannot be modified, moved, or deleted, such as the all traffic rule, the ah rule, and the esp rule. They pertain to all traffic.

The direction flag (-w) of the genfilt command is used to specify when the specified rule should be used either during input packet processing or output packet processing. When the both value for this flag is used, it specifies that this rule is used during both input and output processing. In AIX IPsec, when filtering is turned on, at least one rule determines the fate of any network packet (be it incoming or outgoing). If you want a rule to be used only during processing of an incoming packet (or outgoing packet), you can choose to do so by using the -w switch of the genfilt command. For example, when a packet is sent out from host A to host B, the outgoing IP packet has the source address of A and the destination address of B. On host A, this packet is processed by the IPsec filter during the outbound processing and during the inbound processing on host B. Assume there is a gateway G between host A and host B. On gateway G, this same packet (all the immutable fields having the same value) is processed twice: once for the inbound processing and once for the outbound processing (if the ipforwarding option is set). For the packet to travel from host A to host B through gateway G, you need a permit rule with:

On host A – src addr set to A, dest addr to B, direction to outbound
On host B – src addr set to A, dest addr to B, direction to inbound

But on the gateway G, you will be requiring two rules:

src addr set to A, dest addr to B, direction to outbound
src addr set to A, dest addr to B, direction to inbound

The above rules can be replaced by: src addr set to A, dest addr to B and direction to both. Therefore, the value of both for direction is typically used in gateways that have the ipforwarding option set to no. The above configuration is only for the packets travelling from host A to host B through the gateway G. If you want the packets to travel in the reverse direction (from host B to host A through the gateway G), then you need another rule for that.

Note: Direction both implies that the associated rule is used for both incoming and outgoing packets. However, it doesn't mean that the rule is applied when the source and destination addresses are reversed. For instance, if server A has a rule with A as source address and B as destination address and the direction is set to both, then A as incoming packet with B as source address and A as destination does not match this rule. Typically the both option is used in gateways that forward the packets.

Associated with these filter rules are Subnet masks, which group IDs that are associated with a filter rule, and the host-firewall-host configuration option. The following sections describe the different types of filter rules and their associated features.