netrule Command

Purpose

Adds, removes, lists, or queries rules, flags and security labels for interfaces and hosts.

Syntax

netrule hl [ i | o | io ]

netrule hq { i | o } src_host_rule_specification dst_host_rule_specification

netrule h- [ i | o ][u] [ src_host_rule_specification dst_host_rule_specification ]

netrule h+ { i | o } [ u ] src_host_rule_specification dst_host_rule_specification [ flags ][ RIPSO/CIPSO options ] security_label_information

netrule il

netrule iq interface

netrule i- [ u ][interface ]

netrule i+ [ u ] interface [ flags ][ RIPSO/CIPSO options ] security_label_information

netrule eq

netrule e { on | off }

Description

The netrule command lists, queries, adds and removes rule specifications for interfaces and hosts. The system default interface rules are set using the interface name. When an interface is removed using the i- flag, it will be given these default interface rules. The default interface rules are also set using the tninit load command.

Note: Because there must always be an interface rule for an interface, the remove operation sets the interface rule to its default state. All of the command line flags must follow the order as shown in the syntax statements.

Flags

Item Description
e { on | off } Sets the policy for sending the ICMP error response to incoming packets that are not accepted by the system. This setting is off by default and must be set with this flag to be on. You cannot specify the e flag when you specify the h or i flag.
h Specifies that the object of the netrule command is a host. You cannot specify the h flag when you specify the i or e flag.
i Specifies that the object of the netrule command is an interface. You cannot specify the i flag when you specify the h or e flag.
l Lists all rules for interfaces or hosts.
o Specifies the host out rules (for host rule only).
q Queries an interface, a host rule, or the status of the error response setting.
u Specifies that the /etc/security/rules.host and /etc/security/rules.int files will be updated after the host or interface rule is successfully added or removed.
+ Adds an interface or a host rule.
- Removes an interface or a host rule.
interface Specifies an interface name.
src_host_rule_specification This parameter takes the following format:
src_host [/ mask][ = proto [:start_port_range [:end_port_range]]]
Requirement: There is a space or tab in between each field.
src_host
A source IPv6 address, or an IPv4 address, or a host name.
mask
The subnet mask number indicates how many bits are set, starting from the most significant bit. For example, 24 means 255.255.255.0 for an IPv4 address.
proto
A protocol.
start_port_range
A particular port number or name to begin from.
end_port_range
A particular port number or name to end at.
dst_host_rule_specification This parameter takes the following format:
dst_host [/ mask][ = proto [:start_port_range [:end_port_range]]]
Requirement: There is a space or tab in between each field.
dst_host
A destination IPv6 address, or an IP v4 address, or a host name.
mask
The subnet mask number, which indicates how many bits are set, starting from the most significant bit. For example, 24 means 255.255.255.0 for an IPv4 address.
proto
A protocol.
start_port_range
A particular port number or name to begin in range from.
end_port_range
A particular port number or name to end at.
flags This parameter takes the following format:
-d drop
drop
AIX® Trusted Network can be configured to drop all packets. You can specify one of the following values:
r
Drops all packets
n
Does not drop all packets (interface default).
i
Uses interface default (host default, host only).
-f rflag:tflag
rflags
Security option requirement on incoming (received) packets. You can specify one of the following values:
r
Revised Interconnection Protocol Security Option (RIPSO) only.
c
Commercial Internet Protocol Security Option (CIPSO) only.
e
Either RIPSO or CIPSO.
n
Neither RIPSO or CIPSO (system default).
a
No restrictions.
i
Uses interface or system default (default).
tflag
Security option handling on outgoing (transmitted) packets. You can specify one of the following values:
r
Transmits RIPSO.
c
Transmits CIPSO.
n
Does not transmit any security options (interface default).
i
Uses interface default (host default, host only).
RIPSO/CIPSO options This parameter takes the following format:
-rpafs=PAF_field[,PAF_field...]
Specifies the PAF fields that are used to receive IPSO packets. This is a list of PAF fields that are accepted. There can be up to 256 fields.
PAF_field: NONE | PAF [+PAF...]
Specifies PAF fields, which are collections of PAFs. The following are the five PAFs that can be included in a single PAF field:
  • GENSER
  • SIOP-ESI
  • SCI
  • NSA
  • DOE
A PAF field is a combination of these values separated by a plus sign (+). For example, a PAF field containing both GENSER and SCI is represented as GENSER+SCI. You can use the PAF field NONE to specify the PAF field without any specified PAFs.
-epaf=PAF_field
Specifies the PAF field that is attached to error responses for incoming IPSO packets that were not accepted by the system.
-tpaf=PAF_field
Specifies the PAF field that is included in the IPSO options of outgoing packets.
-DOI = doi
Specifies the domain of interpretation (DOI) for CIPSO packets. Incoming packets must have this DOI and outgoing packets will be given this DOI.
-tags=tag[,tag...]
tag = 1 | 2 | 5

Specifies the set of tags that are accepted and available to be transmitted by CIPSO options. This is a combination of 1, 2 and 5. For example 1,2 would enable tags 1 and 2.

security_label_information This parameter takes the following format:
+min +max +default | -s input_file
Specifies the standard output (SL) that will apply when adding a rule. You can also specify the -s flag and include the SLs in the file in the following order, specifying one per line:
  • min SL
  • max SL
  • default SL
You cannot include any comments in the file. Use a backslash (\) at the end of the line if more than one line is needed. If you are not using a file, list the sensitivity labels delimited by a plus sign (+) for the minimum level, the maximum level, and the default or implicit level for unmarked packets.

Security

A user must have the aix.mls.network.config and the aix.mls.network.init authorizations to run the netrule command.

Examples

  1. To add in host rule, and update the local database after in host rule is successfully added to kernel, enter:
    netrule h+iu 9.3.149.25 9.41.86.19 +impl_lo +ts all +pub
  2. To add out host rule, enter:
    netrule h+o 9.41.86.19  9.3.149.25 -s /tmp/rule
    

    or:

    impl_lo
    ts all
    pub
    The following are the contents of the input /tmp/rule file:
    impl_lo
    ts \
    all
    pub
    
  3. To drop all incoming UDP packets from a host, enter:
    netrule h+i 192.0.0.5 =udp 9.41.86.19 =udp -dr +impl_lo +impl_lo +impl_lo
  4. To remove all host rules and update the local, enter:
    netrule h-u
  5. To list all host rules, enter:
    netrule hl
  6. To list all interface rules, enter:
    netrule il
  7. To add an interface rule, enter:
    netrule i+ en0 -dn -fa:n +public +ts +secret
  8. To remove a particular host rule, enter:
    netrule h-i 192.0.0.5 =udp 9.41.86.19 =udp
  9. To add a particular host rule, enter:
    netrule h+i 9.41.86.19 /24 =tcp :ftp :telnet 9.3.149.6 /28 +public +ts +secret
  10. To set the default interface rule, enter:
    netrule i+ default -dn -fa:n +impl_lo +ts all +impl_lo
  11. To set the default interface rule to the system drop-all-packets default, enter:
    netrule i- default
  12. To set the interface to send and only receive CIPSO packets, enter:
    netrule i+ en0 -fc:c +impl_lo +ts all +impl_lo
  13. To set the interface to receive either CIPSO or RIPSO packets and send RIPSO packets with PAF values, a CIPSO DOI, and CIPSO flags, enter:
    netrule i+ en0 -fe:r -rpafs=SCI,NSA+DOE -epaf=SCI -tpaf=NSA -DOI=0x010 
    -tags=1,2 +impl_lo +ts all +impl_lo
  14. To set the system-wide policy for sending ICMP responses on incoming packets that are not valid, enter:
    netrule e on